Methods and systems for updating a secure boot device using cryptographically secured communications across unsecured networks

ABSTRACT

Methods and systems for updating a virtual terminal associated with a secure network are disclosed. One method includes validating at a service enclave an identity of a user of a virtual terminal. The service enclave includes an authorization server, and the virtual terminal is generated from a trusted set of processing modules executing from a secure boot device at a client computing device. The method further includes authorizing the user of the virtual terminal to access a customer enclave and an update enclave based on security credentials received from the virtual terminal. The method also includes, while the user of the virtual terminal establishes a secure connection between the client computing device and the customer enclave, transmitting updates from the update enclave to the client computing device, thereby updating the trusted set of processing modules.

CROSS-REFERENCE TO RELATED APPLICATIONS

The present application claims priority to U.S. Provisional PatentApplication No. 61/389,511, filed Oct. 4, 2010, and entitled “System andMethod for Providing a USB Stick-Based Thin Client”, Attorney Docket No.TN521.P, the disclosure of which is hereby incorporated by reference inits entirety.

The present application also claims priority to U.S. Provisional PatentApplication No. 61/389,535, filed Oct. 4, 2010, and entitled “System andMethod for Providing a Stealth Secure Virtual Terminal”, Attorney DocketNo. TN533.P, the disclosure of which is hereby incorporated by referencein its entirety.

The present application also claims priority to U.S. patent applicationSer. No. 11/714,598, filed Mar. 6, 2007, entitled “Gateway for SecuringData to/from a Private Network”, Attorney Docket No. TN400.US-CIP3, thedisclosure of which is hereby incorporated by reference in its entirety.

The present application also claims priority to U.S. patent applicationSer. No. 11/714,590, filed Mar. 6, 2007, entitled “Securing andPartitioning Data-in-Motion Using a Community-of-Interest”, AttorneyDocket No. TN400.US-CIP1, the disclosure of which is hereby incorporatedby reference in its entirety.

The present application also claims priority to U.S. patent applicationSer. No. 11/714,666, filed Mar. 6, 2007, entitled “Communicating SplitPortions of Data Set Across Multiple Data Path”, Attorney Docket No.TN400.US-CIP2, the disclosure of which is hereby incorporated byreference in its entirety.

The present application also claims priority to U.S. patent applicationSer. No. 11/339,974, filed Jan. 26, 2006, entitled “IntegratedMulti-Level Security System”, Attorney Docket No. TN400.US, thedisclosure of which is hereby incorporated by reference in its entirety.

The present application also claims priority to U.S. Provisional PatentApplication No. 60/648,531, filed Jan. 31, 2005, entitled “DistributedSecurity on Multiple Independent Networks Using Secure ‘Parsing’Technology”, Attorney Docket No. TN400.P, the disclosure of which ishereby incorporated by reference in its entirety.

TECHNICAL FIELD

The present application relates generally to secured data communication.In particular, the present application relates to methods and systemsfor providing and controlling secure communications across unsecurednetworks.

BACKGROUND

Security is often maintained in organizations by segregating physicalnetworks used by each group of users. This acts to restrict access todata available on computers and databases used in such networks. Forexample, it prevents someone in engineering from gaining access to dataused in the payroll department's network and vice versa. While separatelocal network infrastructures help to maintain security of data,superfluous equipment and maintenance is required to maintain thesesegregated networks. This adds expense, and complexity to the datainfrastructures of such organizations.

Furthermore, regardless of the organizational structure of networks usedin commercial, governmental, and other settings, there is an everincreasing security concern that sensitive data transmitted or stored onlocal networks will be accessed by an unauthorized individual oraccidentally accessed or disclosed outside of a community-of-interest,hence compromising the secret data. Exacerbating this problem is thefact that security threats can also often originate from insiders.Whether the threat is intentional or unintentional, transmitting dataexclusively in one security level partitioned network or another doesnot protect the data if it is in plaintext format. This is because evenstrict physical segregation of a network by security level is noguarantee that data will not be disseminated to end-users outside thatsecurity level.

The above security concerns are only further exacerbated when access toopen or public networks is provided or required, for example in the caseof accessing secure networks remotely via the Internet. For example, thegrowth of the Internet and related network communication networks hasgiven rise to increasingly larger numbers of distributed informationprocessing systems in which individual users obtain information from anever increasing number of sources. For example, in the banking industry,electronic communications by customers to their banking institutions toengage in electronic financial transactions is an increasing form ofinteraction between the customers and the banks. Other organizations orinstitutions requiring highly secured communications overtypically-unsecure networks have analogous problems.

In making these transactions possible, customers use any number ofcomputing systems attached to the Internet to communicate with serversoperated by their banking institutions to send commands and receive dataassociated with these transactions. Banks are typically not able tocontrol the customer's computing systems in a meaningful way that maygive rise to potential security issues. A summary of some of thesesecurity threats are described in detail in a Unisys White Paperentitled “Zeus Malware: Threat Banking Industry” that is incorporatedherein by reference in its entirety.

The present invention addresses these limitations of the prior computingsystems.

SUMMARY

In accordance with the present disclosure, the above and other problemsare solved by providing a method, apparatus, and article of manufacturefor providing a thin client for providing secure access to network-basedservices from a computing system attached to a generally unsecurednetwork. Various aspects of this thin client, and systems enabling thinclient access to such services, for example web based services, aredisclosed as well.

In a first aspect, a method for updating a virtual terminal associatedwith a secure network are disclosed. The method includes validating at aservice enclave an identity of a user of a virtual terminal. The serviceenclave includes an authorization server, and the virtual terminal isgenerated from a trusted set of processing modules executing from asecure boot device at a client computing device. The method furtherincludes authorizing the user of the virtual terminal to access acustomer enclave and an update enclave based on security credentialsreceived from the virtual terminal. The method also includes, while theuser of the virtual terminal establishes a secure connection between theclient computing device and the customer enclave, transmitting updatesfrom the update enclave to the client computing device, thereby updatingthe trusted set of processing modules.

In a second aspect, a system for updating one or more trusted softwaremodules in a secure boot device directly connected to a client computingsystem is disclosed. The system includes a service enclave configured toreceive and respond to authentication and authorization requests from aclient computing system, and to define one or more communities ofinterest associated with a secure boot device. The system also includesa customer enclave configured to, upon authorization of the secure bootdevice at the service enclave, establish a secure connection to theclient computing system and receive transaction information from theclient computing system. The system includes an update enclaveconfigured to, while the secure connection is established between thecustomer enclave and the client computing device, establish a secondsecure connection between the update enclave and the client computingdevice and update one or more of the trusted software modules.

In a third aspect, a computer-storage medium storing computinginstructions is disclosed. The instructions, when executed, implement acomputerized method of updating a virtual terminal associated with asecure network. The computerized method includes validating at a serviceenclave an identity of a user of a virtual terminal, the service enclaveincluding an authorization server, and the virtual terminal generatedfrom a trusted set of processing modules executing from a secure bootdevice at a client computing device. The method further includesauthorizing the user of the virtual terminal to access a customerenclave based on security credentials received from the virtualterminal. The method also includes, while the user of the virtualterminal establishes a secure connection between the client computingdevice and the customer enclave, transmitting updates from an updateenclave to the client computing device, thereby updating the trusted setof processing modules.

In some aspects, a utility of the present disclosure is that, amongother aspects, it provides a method for securely connecting a clientcomputer, such as one having a secure boot device to a remote serverover a communications network. The method boots a client computer from atrusted set of processing modules stored in the secure boot device,verifies the contents of the trusted set of processing modules prior toexecution of these processing modules, provides authenticationinformation from data stored upon the secure boot device to anauthorization server to establish a secure connection to another server,such as a web services server. In some aspects, the method establishesthe secure connection with the server using encryption keys stored onthe secure boot device, and transfers data between the client computerand the server over the secure connection to perform transactionsinitiated by a user of the client computer. Additionally, the presentdisclosure provides for control and update of software executing at aclient computing device. The server computer utilizes encryption keysassociated with a unique ID from the secure boot device. Additionally,distributed networks are provided that allow for distributed resourcemanagement, to allow customers access to private network areas thatshare resources with other customers, while also ensuring secure key andupdate management for each customer.

These and various other features as well as advantages, whichcharacterize the present disclosure, will be apparent from a reading ofthe following detailed description and a review of the associateddrawings.

BRIEF DESCRIPTION OF THE DRAWINGS

Referring now to the drawings in which like reference numbers representcorresponding parts throughout:

FIG. 1 illustrates a distributed system using according to oneembodiment of the present disclosure;

FIG. 2 shows an organization in which separate intranets able to beformed in the distributed system of FIG. 1 are consolidated into asingle interconnected infrastructure;

FIG. 3 is a chart illustrating end-users and their membership denoted byan “X” to different communities-of-interest of a small subset of anexample larger organization;

FIG. 4 illustrates an example logical computing environment in which anencryption key is used to encrypt a cryptographic data set transferredfrom a first computing device to a second computing device;

FIG. 5 illustrates a general purpose computing system for use inimplementing as one or more computing embodiments of the presentdisclosure;

FIG. 6 illustrates an example communications infrastructure useablewithin a computing environment to manage secure and clear textcommunications, according to various aspects of the present disclosure;

FIG. 7 illustrates an exemplary method for securely transmitting acryptographic data set among logically partitioned data paths;

FIG. 8 illustrates an exemplary method for securely transmitting amessage among logically partitioned data paths;

FIG. 9 illustrates an overall logical flow of how an original packet iscontaining a cryptographic data set, or message, is concatenated withpreheader and then split into portions which are appended with an IPheader containing a value indicating which set of data the portionbelongs;

FIG. 10 illustrates a distributed system using a secure boot deviceaccording to another embodiment of the present disclosure;

FIG. 11A illustrates a set of processing modules stored on a secure bootdevice according to yet another embodiment of the present disclosure;

FIG. 11B illustrates an example arrangement of memory of a secure bootdevice for storing the set of trusted modules on the secure boot deviceof FIG. 10;

FIG. 12 illustrates a flowchart of a method for using a secure bootdevice to create a secure connection to a server according to anembodiment of the present disclosure;

FIG. 13 illustrates a distributed processing system useable inconnection with a secure boot device to create a secure connection to aserver according to a possible embodiment of the present disclosure;

FIG. 14 illustrates a distributed processing system useable inconnection with a secure boot device to create a secure connection to aserver according to a further possible embodiment of the presentdisclosure;

FIG. 15 illustrates a distributed processing system useable inconnection with a secure boot device to create a secure connection to aserver according to a further possible embodiment of the presentdisclosure;

FIG. 16 illustrates a flowchart of creating a secure connectionaccording to an embodiment of the present disclosure;

FIG. 17 illustrates an example network in which secure tunnels cancoexist with clear text communication, according to a possibleembodiment of the present disclosure;

FIG. 18 illustrates a distributed system in which secure tunnels coexistwith clear text communication, according to a possible embodiment of thepresent disclosure;

FIG. 19 illustrates a distributed hybrid system using virtual privatenetwork and secure connections, using the distributed systems of FIGS.18-19, according to a possible embodiment of the present disclosure;

FIG. 20 illustrates a flowchart of authenticating a system for use ofcoexisting secure and clear text tunnels, according to a possibleembodiment of the present disclosure;

FIG. 21 illustrates a flowchart of methods and systems for configuring adistributed system including coexisting secure and clear text tunnelsusing a provisioning utility, according to a possible embodiment of thepresent disclosure;

FIG. 22 illustrates an example distributed system in which a secureterminal can be updated during secure connection to a customer virtualnetwork, according to a possible embodiment of the present disclosure;

FIG. 23 illustrates a second example distributed system in which asecure terminal can be updated during secure connection to a customervirtual network, according to a possible embodiment of the presentdisclosure;

FIG. 24 illustrates a third example distributed system in which a secureterminal can be updated during secure connection to a customer virtualnetwork, according to a possible embodiment of the present disclosure;and

FIG. 25 is a flowchart of methods and systems for updating a securevirtual terminal connected to a distributed system, according to apossible embodiment of the present disclosure.

DETAILED DESCRIPTION

Various embodiments of the present invention will be described in detailwith reference to the drawings, wherein like reference numeralsrepresent like parts and assemblies throughout the several views.Reference to various embodiments does not limit the scope of theinvention, which is limited only by the scope of the claims attachedhereto. Additionally, any examples set forth in this specification arenot intended to be limiting and merely set forth some of the manypossible embodiments for the claimed invention.

In general, the present disclosure relates to a method, apparatus, andarticle of manufacture for providing a secure client for providingsecure access to a remote server from a computing system attached to anunsecured network. The present disclosure provides for a secureconnection to such a server generally, and in particular distributednetwork resources. Various aspects include methods and systems forsecure connection to a distributed system for performing transactions,for example using a thin client, terminal-based system. Methods andsystems for updating such a system while a secure connection isestablished are provided as well. Additionally, methods and systems formanaging encryption keys within a secure network, and for allowingsecure and clear text connections to coexist within a secure network areprovided as well.

I. Generalized Infrastructure for Secure Communication

FIG. 1 illustrates a distributed system 100 in which aspects of thepresent disclosure can be implemented, according to one embodiment ofthe present disclosure. A distributed computing system 100 allows anumber of users to communicate with any number of servers 111-113 usingtheir own client computers 121-124, via a network, show as the internet126. On a client computer 123, a web page 131 or othernetwork-accessible resource can be displayed to a user that correspondsto a transaction 132 being performed on a particular server, e.g.,server 112. The communications between the client computer 123 andserver 112 occurs over a secure connection.

In one possible embodiment of the present invention, this secureconnection utilizes a security technology developed by the UnisysCorporation that are described in detail in a number of commonlyassigned U.S. patent applications. These applications generally describea cryptographic splitting and recombining arrangement referred to hereinas “cryptographically secure” or “Stealth-enabled”. These applicationsinclude:

-   -   1. U.S. Provisional application entitled: Distributed Security        on Multiple Independent Networks using Secure “Parsing”        Technology, by Robert Johnson, attorney Docket No. TN400.P, Ser.        No. 60/648,531, filed 31 Jan. 2005;    -   2. U.S. application entitled: Integrated Multi-Level Security        System, by Robert Johnson, Attorney Docket No. TN400.US, Ser.        No. 11/339,974 filed 26 Jan. 2006 claiming the benefit of the        above provisional applications;    -   3. U.S. application entitled: Integrated Multi-Level Security        System, by Robert Johnson et al., Attorney Docket No.        TN400.USCIP1, Ser. No. 11/714,590 filed 6 Mar. 2007 which is a        continuation-in-part of U.S. application Ser. No. 11/339,974;    -   4. U.S. application entitled: Integrated Multi-Level Security        System, by Robert Johnson et al., Attorney Docket No.        TN400.USCIP2, Ser. No. 11/714,666 filed 6 Mar. 2007 which is a        continuation-in-part of U.S. application Ser. No. 11/339,974;        and    -   5. U.S. application entitled: Integrated Multi-Level Security        System, by Robert Johnson et al., Attorney Docket No.        TN400.USCIP3, Ser. No. 11/714,598 filed 6 Mar. 2007 which is a        continuation-in-part of U.S. application Ser. No. 11/339,974.

All of these applications are currently pending before the U.S. Patentand Trademark Office, are commonly assigned to the owner of the instantapplication, and are incorporated herein in their entireties.

In various embodiments of the present disclosure, the servers 111-113can be distributed across a plurality of discrete locations orcontrolled by different entities; in such embodiments, these servers111-113 can be referred to generally as remote servers, as theyrepresent servers accessible from a remote location and which can beaccessed via an unsecured network. For example, in some embodiments ofthe present disclosure (discussed in greater detail below), one or moreof the servers 111-113 is a banking server, configured to communicatesecurely with one or more client terminal devices across a secureconnection, formed for example via the Internet. In such examples, orothers where a high level of security is required, one or more secureconnections can be established between client devices and a server, oramong servers, on such an unsecured network. Other serverfunctionalities or arrangements are possible as well, for exampleincluding administration, provisioning, and usermanagement/authentication systems. In such embodiments, one or more suchseparate functionalities can be integrated into, or can reside separatefrom, an entity requiring highly secure communications such as afinancial institution where reliable security is needed.

FIG. 2 shows an organization 200 in which separate intranets able to beformed in the distributed system of FIG. 1 are consolidated into asingle interconnected infrastructure. In the organization 200 as shown,a variety of physically separated resources, illustrated as residing atsites 204, 206, 208, respectively, can be communicativelyinterconnected, for example via the Internet 202. In accordance with thepresent disclosure, secure communication can be accomplished among thevarious sites 204-208, and from remote users to one or more sites. Forexample, one or more of the servers 111-113 can be physically located ata different location from other servers, and client computers 121-124can be located at any location either within an entity's intranet orexternal to that intranet. Access to the resources of the organization200 by a user is provided not based on that user's location, but his/hermembership in a community-of-interest associated with that entity.

As used in the present disclosure, a community-of-interest refersgenerally to a group of two or more people who share a common interestand are grouped together based on their common interest. Acommunity-of-interest may correspond to a role of an individual in anorganization, a job level, security level, or may correspond to someother characteristic. A community-of-interest may also correspond tosome subject defined by an organization or an individual and associatedwith one or more individuals (i.e., end-users of a computing device). Acommunity-of-interest may be defined differently depending on theorganizational structure of the entity.

FIG. 3 is a chart 300 illustrating end-users and their membershipdenoted by an “X” to different communities-of-interest of a small subsetof an example organization. In this condensed example, a President of anorganization, given his/her position, is entitled to access data in allof the communities-of-interest. On the other hand, a Payroll Specialistwhose role may be limited to only issuing paychecks can only view orshare data associated with the payroll community-of-interest and noother communities-of-interest. An HR (Human Resources) Manager givenhis/her position in HR as well as being a manager may view or share datafrom both the HR and Management communities-of-interest. Finally, inthis example, a Sales Associate is only able to view data from or sharedata with others associated with the Sales community-of-interest.

In the example shown, while the President can access data in all fourcommunities-of-interest, the President cannot share data with thePayroll Specialist if the data the President sends to the PayrollSpecialist is encrypted for use in a community-of-interest that thePayroll Specialist cannot access. That is, no communication session canbe established between the President and the Payroll Specialist otherthan within the Payroll community-of-interest. Therefore the messagewith a community-of-interest key not associated with the PayrollSpecialist cannot be sent to the Payroll Specialist. Even if the messageis accidentally received by the Payroll Specialist, the PayrollSpecialist cannot view the message, for example due to use of encryptionkeys specific to each community of interest, as discussed in furtherdetail below. This safeguard prevents inadvertent ormalicious/intentional dissemination of plaintext data to individuals whoare not members of a particular community-of-interest, and therefore,are not authorized to receive such information.

It is possible to distribute community-of-interest specific encryptionkeys (also known herein as “community-of-interest keys”) withindepartments, groups, agencies, different offices of an entity, based onranks of individuals, security level ratings of individuals,commercial/non-commercial entities, governmental/non-governmentalentities, corporations, or just about any group. It is also possible todynamically create a community-of-interest or revoke a community ofinterest by the dissemination or removal of community-of-interest keys.

Thus, in accordance with one embodiment, each individual (or end user)associated with an organization has one or more community-of-interestkeys provided on their computers, which is a secret encryption and/ordecryption key previously installed thereon as a set of code or logic ona computer. Only computer devices with matching community-of-interestkeys can communicate with one another, or observe data classified withintheir community-of-interest. That is, each community-of-interest key isassociated with an end-user's community-of-interest (such as a positionin a company or a security level), thereby allowing only end-userswithin the same group and having at least the same community-of-interestkey to communicate with each other, or to gain access to data associatedwith that community-of-interest.

Of course, multiple community-of-interest keys can be distributed toindividuals based on their membership and roles. It is conceivable thatselect end-users in each community-of-interest, may have more access tocertain data, while others may have less ability to view or share data.The methods of this invention using communities-of-interest keys allowsfor the sharing or accessing of data to end-users whose computers havebeen preconfigured with appropriate community-of-interest keys.

Community-of-interest keys may also be installed on servers or otherplatforms within a network to protect sensitive data. Servers dedicatedto a particular community-of-interest may only communicate withcomputing devices that have the same requisite community-of-interestkeys installed therein. Otherwise no communication session can beestablished between a computing device and a server without both deviceshaving the requisite key(s). Details regarding particularimplementations in which a user device connects to server systems basedon shared community-of-interest keys are described below.

Referring now to FIGS. 4-6, various components of a computing device aredisclosed, with which aspects of the present disclosure can beimplemented. With reference to FIGS. 4-5, exemplary physical and logicalorganizations of systems are shown in which aspects of the presentdisclosure can be implemented. Although some of the discussion belowwill focus on end-user equipment such as personal computers, theapplicability of the present invention is not limited to end-userequipment, and may be used with other computing devices within anetwork. For example, computing devices according to the presentdisclosure may be other general or special purpose computing devices,such as, but not limited to, gateways, servers, routers, workstations,mobile devices (e.g., POA, cellular phone, etc.), and a combination ofany of the above example devices, and other suitable intelligentdevices.

FIG. 4 is a block diagram illustrating an example computing device 400,which can be used to implement aspects of the present disclosure, andupon which one or more of the server applications, operating systems, orauthentication systems described herein can be executed. Generally, FIG.4 illustrates an example physical system useable for implementingfeatures of the present disclosure include a general-purpose computingdevice in the form of a conventional personal computer.

In the example of FIG. 4, the computing device 400 includes a memory402, a processing system 404, a secondary storage device 406, a networkinterface card 408, a video interface 410, a display unit 412, anexternal component interface 414, and a communication medium 416. Thememory 402 includes one or more computer storage media capable ofstoring data and/or instructions. In different embodiments, the memory402 is implemented in different ways. For example, the memory 402 can beimplemented using various types of computer storage media.

The processing system 404 includes one or more processing units. Aprocessing unit is a physical device or article of manufacturecomprising one or more integrated circuits that selectively executesoftware instructions. In various embodiments, the processing system 404is implemented in various ways. For example, the processing system 404can be implemented as one or more processing cores. In another example,the processing system 404 can include one or more separatemicroprocessors. In yet another example embodiment, the processingsystem 404 can include an application-specific integrated circuit (ASIC)that provides specific functionality. In yet another example, theprocessing system 404 provides specific functionality by using an ASICand by executing computer-executable instructions.

The secondary storage device 406 includes one or more computer storagemedia. The secondary storage device 406 stores data and softwareinstructions not directly accessible by the processing system 404. Inother words, the processing system 404 performs an I/O operation toretrieve data and/or software instructions from the secondary storagedevice 406. In various embodiments, the secondary storage device 406includes various types of computer storage media. For example, thesecondary storage device 406 can include one or more magnetic disks,magnetic tape drives, optical discs, solid state memory devices, and/orother types of computer storage media.

The network interface card 408 enables the computing device 400 to senddata to and receive data from a communication network. In differentembodiments, the network interface card 408 is implemented in differentways. For example, the network interface card 408 can be implemented asan Ethernet interface, a token-ring network interface, a fiber opticnetwork interface, a wireless network interface (e.g., WiFi, WiMax,etc.), or another type of network interface.

The video interface 410 enables the computing device 400 to output videoinformation to the display unit 412. The display unit 412 can be varioustypes of devices for displaying video information, such as a cathode-raytube display, an LCD display panel, a plasma screen display panel, atouch-sensitive display panel, an LED screen, or a projector. The videointerface 410 can communicate with the display unit 412 in various ways,such as via a Universal Serial Bus (USB) connector, a VGA connector, adigital visual interface (DVI) connector, an S-Video connector, aHigh-Definition Multimedia Interface (HDMI) interface, or a DisplayPortconnector.

The external component interface 414 enables the computing device 400 tocommunicate with external devices. For example, the external componentinterface 414 can be a USB interface, a FireWire interface, a serialport interface, a parallel port interface, a PS/2 interface, and/oranother type of interface that enables the computing device 400 tocommunicate with external devices. In various embodiments, the externalcomponent interface 414 enables the computing device 400 to communicatewith various external components, such as external storage devices,input devices, speakers, modems, media player docks, other computingdevices, scanners, digital cameras, and fingerprint readers.

The communications medium 416 facilitates communication among thehardware components of the computing device 400. In the example of FIG.4, the communications medium 416 facilitates communication among thememory 402, the processing system 404, the secondary storage device 406,the network interface card 408, the video interface 410, and theexternal component interface 414. The communications medium 416 can beimplemented in various ways. For example, the communications medium 416can include a PCI bus, a PCI Express bus, an accelerated graphics port(AGP) bus, a serial Advanced Technology Attachment (ATA) interconnect, aparallel ATA interconnect, a Fiber Channel interconnect, a USB bus, aSmall Computing system Interface (SCSI) interface, or another type ofcommunications medium.

The memory 402 stores various types of data and/or softwareinstructions. For instance, in the example of FIG. 4, the memory 402stores a Basic Input/Output System (BIOS) 418 and an operating system420. The BIOS 418 includes a set of computer-executable instructionsthat, when executed by the processing system 404, cause the computingdevice 400 to boot up. The operating system 420 includes a set ofcomputer-executable instructions that, when executed by the processingsystem 404, cause the computing device 400 to provide an operatingsystem that coordinates the activities and sharing of resources of thecomputing device 400. Furthermore, the memory 402 stores applicationsoftware 422. The application software 422 includes computer-executableinstructions, that when executed by the processing system 404, cause thecomputing device 400 to provide one or more applications. The memory 402also stores program data 424. The program data 424 is data used byprograms that execute on the computing device 400.

The term computer readable media as used herein may include computerstorage media and communication media. As used in this document, acomputer storage medium is a device or article of manufacture thatstores data and/or computer-executable instructions. Computer storagemedia may include volatile and nonvolatile, removable and non-removabledevices or articles of manufacture implemented in any method ortechnology for storage of information, such as computer readableinstructions, data structures, program modules, or other data. By way ofexample, and not limitation, computer storage media may include dynamicrandom access memory (DRAM), double data rate synchronous dynamic randomaccess memory (DDR SDRAM), reduced latency DRAM, DDR2 SDRAM, DDR3 SDRAM,solid state memory, read-only memory (ROM), electrically-erasableprogrammable ROM, optical discs (e.g., CD-ROMs, DVDs, etc.), magneticdisks (e.g., hard disks, floppy disks, etc.), magnetic tapes, and othertypes of devices and/or articles of manufacture that store data.Communication media may be embodied by computer readable instructions,data structures, program modules, or other data in a modulated datasignal, such as a carrier wave or other transport mechanism, andincludes any information delivery media. The term “modulated datasignal” may describe a signal that has one or more characteristics setor changed in such a manner as to encode information in the signal. Byway of example, and not limitation, communication media may includewired media such as a wired network or direct-wired connection, andwireless media such as acoustic, radio frequency (RF), infrared, andother wireless media.

Additionally, the embodiments described herein are implemented aslogical operations performed by a computer. The logical operations ofthese various embodiments of the present invention are implemented (1)as a sequence of computer implemented steps or program modules runningon a computing system and/or (2) as interconnected machine modules orhardware logic within the computing system. The implementation is amatter of choice dependent on the performance requirements of thecomputing system implementing the invention. Accordingly, the logicaloperations making up the embodiments of the invention described hereincan be variously referred to as operations, steps, or modules.

FIG. 5 illustrates an example arrangement of logical components of ageneral purpose computing system 500 for use in implementing as one ormore computing embodiments of the present invention, and can beimplemented within the hardware environment 400 illustrated in FIG. 4.In the embodiment shown, the computing device 500 includes a controller502 including at least one processor 504, a power source 506, and memory508, which can be as described above in connection with FIG. 4. In someimplementations, volatile memory 510 is used as part of the computingdevice's cache, permitting application code and/or data to be accessedquickly and executed by processor 504. Memory 508 may also includenon-volatile memory 512, as well as flash memory 514. It is alsopossible for other memory mediums (not shown) having various physicalproperties to be included as part of computing device 300.

A file system 522 may reside as a component in the form ofcomputer-executable instructions and/or logic within memory 508, thatwhen executed serves as a logical interface between code stored in flash514 and other storage mediums. File system 522 is generally responsiblefor performing transactions on behalf of code stored in ROM or one ormore applications. File system 522 may also assist in storing,retrieving, organizing files, and performing other related tasksassociated with code and/or data. That is, file system 522 has theability to read, write, erase, and manage files (applications, etc.).File system 522 may also include other applications such as webbrowsers, e-mail, applications, and other applications.

Computing device 300 may also include one or more Input/Output ports 516to transmit and/or receive data. I/O ports 516 are typically connectedin some fashion to controller 502 (processor 502 and memory 508). I/Oports 516 are usually at least partially implemented in hardware forconnecting computing device 500 to a communication link 518, and mayinclude wired as well as wireless capabilities. Communication link 518may include any suitable connection means for handling thetransportation of data to and from computing device 500, such as, butnot limited to, cable, fiber optics, and wireless technology.Communication link 518 may also include network technology includingportions of the Internet.

Stored within one or more portions of memory 508 is a security engine550. That is, security engine 550 includes one or more sets ofcomputer-executable code resident in a computer-readable medium such asmemory 508. Security engine 550 performs security functions associatedwith transmitting, receiving, or storing data. These security functionsmay include encrypting data and decrypting data. Typically,cryptographic corresponding key pairs are installed in memory, such asan encryption key and decryption keys. However, it is appreciated that acorresponding cryptographic key may reside on another computing device.The keys may be public or private as would be appreciated by thoseskilled in the art. The keys may be generated using commerciallyavailable products or proprietary technology.

In one embodiment, security engine 550 includes one or more filters 552,which define permissions relating to secure communication by thecomputing device 500. By permissions, it is intended that one or moreremote endpoints can be defined in a filter, and access to that endpointcan be either allowed or prevented based on an identity of a user.

In such an embodiment, security engine 550 also includes one or morecommunity-of-interest keys 554, which are private and secret keys usedfor encrypting/decrypting other security keys in accordance with thisinvention. That is, community-of-interest keys 554 are used fortransformation (encryption) of a second key (or additional keys), suchas a session key, into a cryptographically split key, as well as forretransformation (decryption) of the second key back to its usable form.

A community-of-interest key 554 refers generally to an encryption keyand/or corresponding decryption key, that may be assigned to a computingdevice 500 of an end-user based on an associated community-of-interestattributed to the end-user. For instance, end-users of a computingdevice 500, may also have one or more community-of-interest keys 554installed on their computing device, based on their position or securitylevel within an organization.

It is also possible to secure and segregate messages based on a categoryof a community-of-interest associated with the message using acorresponding community-of-interest key 554 (e.g., cryptographic pairs).Also, unlike private/public key pairs, community-of-interest keys 554are usually installed or generated before a transaction to increasesecurity, rather than receiving and generating the key on-the-fly duringa transaction, in which the key can be intercepted.Community-of-interest keys 554 may be stored in a key repository 566,which is a storage area in memory 508. Filters 552 can also be stored inmemory 508.

In some embodiments, each community-of-interest key 554 has anassociated filter 552, such that a set of endpoint access permissionsare included with each community of interest. In such embodiments, thefilter associated with a community-of-interest key 554. Examplecommunity of interest keys can include a secure community of interestkey 554, that may have an associated filter defining one or moreendpoints and/or gateway devices associated with that community ofinterest and excluding communication with any unsecured sites, or aclear text filter that would allow clear text communication withexternal, publicly available and unsecured systems (e.g., via theinternet). In the example of the clear text filter, such a filter couldinclude one or more exclusionary permissions preventing clear textcommunication to secured endpoints or gateway devices normally requiringcryptographically-secured communication. Additional details regardingexample key and filter arrangements are discussed below in conjunctionwith FIG. 17-21.

Security engine 550 may also include a cryptographic engine 556 forgenerating cryptographic keys and other information used to encrypt ordecrypt messages, as well as route data to a target device. In oneembodiment, cryptographic engine 556 generates a cryptographic data set,which may include one or more session keys which are used forencrypting/decrypting one message or a group of messages when computingdevice 500 is in a communication session with another device.

Security engine 550 may also include other authentication data and code558, used for purposes of authenticating data or information, such aspasswords, recorded biometric information, digital certificates, andother security information. As is appreciated by those skilled in theart after having the benefit of this disclosure, it is possible thatthere may be various combinations of keys and authentication data insecurity engine 550.

Although described in terms of code, the exemplary security engine 550may be implemented in hardware, software, or combinations of hardwareand software. Additionally, all components of security engine 550 may becommunicatively coupled to each other through controller 502. As wouldbe appreciated by those skilled in the art, many of the components ofsecurity engine 550 may be stored and identified as files under controlof file system 522.

Security engine 550 may also include a data splitter module 560 forsplitting data that is to be transmitted from computing device 500.Typically, security engine 550 relies on a community-of-interest keyand/or cryptographic engine 556 to determine how to split and encryptdata. Data splitter module 560 divides data into portions of data. Aportion of data is any bit or combination of bits of data that comprisea larger set of data, such as a message or a portion of a cryptographicdata set (a second key). A portion of data may be encapsulated inpackets for transport, but the content of the data may be fixed or of avariable bit length. Accordingly, a portion of data (such as a portionof message or portion of cryptographic data set) corresponds to one ormore bits comprising data content, i.e., payload as opposed to a dataheader message. Data splitter 560 may be configured to producepredetermined bit length portions of data or it may be determineddynamically in an automatic fashion.

Security engine 550 may also include an assignment module 562.Assignment module 562 assigns tags to each portion of data (portion of amessage or key). Each tag contains metadata indicating a traffic path(to be described) a particular portion of data is to be distributedthrough one or more networks to another computing device 400. Othermetadata may be included in the tags, such as information identifyingthe network the portion of data originated, the client devicedestination, possibly the order of the portion of data in relation toother portions of data emitted from the same network, and other suitableinformation.

Security engine 550 may also include an assembler module 564 configuredto reassemble portions of data received at different times, and/or viadifferent data paths. Once data is reassembled, authorized assets andmessages appear accessible in plaintext format from the end-usersperspective. It is noted that various security techniques may beemployed on computing device 500 to prevent the user from saving data,mixing different levels of data, or sending the data to other locationsfor dissemination to another network, such as via email or otherelectronic transfer means. Applications may also execute on separatephysical and/or logical partitions within computing device 500.

Additional details regarding the security engine and cryptographic datasets generated using the security engine are discussed in U.S. patentapplication Ser. Nos. 60/648,531; 11/339,974; 11/714,590; 11/714,666;and 11/714,598, which were previously incorporated by reference in theirentireties.

FIG. 6 illustrates an example communications infrastructure 600 useablewithin a computing environment to manage both secure and clear textcommunications channels, according to various aspects of the presentdisclosure. The communications infrastructure 600 can be implementedwithin the computing systems 400, 500 of FIGS. 4-5, for example usingthe operating system 420, application programs 422, and program data 424to managing operation of network interface or adapter 408 of FIG. 4, andfor example as at least in part implemented using security engine 550 ofFIG. 5.

In the embodiment shown, the communications infrastructure 600 includesa physical network interface card 602 communicatively interconnected toa network 604, illustrated in this embodiment as an Ethernet local areanetwork (LAN). The physical network interface card 602 is generally apiece of communications hardware included within the computing system,and can be, in one embodiment, the network interface adapter 452 of FIG.4.

The communications infrastructure 600 includes a routing table 606,which defines one or more local and remote IP addresses used tocommunicate messages between a computing system incorporating theinfrastructure 600 and a remote computing system. For example, therouting table 606 can include a default route, local network andbroadcast addresses, as well as one or more network masks, gateways, andother points of interest.

In general, when a computing system intends to transmit clear text datausing the physical network interface card 602, that system willdetermine an address using the routing table 606 and form a packet to beforwarded to the physical network interface card 602 for communicationvia network 604. In accordance with the present disclosure, to separatesecure data communications from standard clear text communications, adedicated communication stack can be used for each of one or more typesof secured communication.

In the embodiment shown, and as discussed in further detail in variousembodiments of the present disclosure below, the communicationsinfrastructure 600 includes a first secure software stack 608 and asecond secure software stack 609, each useable to communicate over asecured connection to a remote system. The first secure software stack608 that includes a secure communications driver 610, a virtual securenetwork interface card 612, and a network interface card driver 614.

The secure communications driver 610 receives data to be transmitted viaa secured communication method (e.g., as described in FIGS. 7-10,below), and an address from the routing table 606, and generates one ormore packets of encrypted data to be transmitted. In some embodiments,as discussed further below, the secure communications driver uses one ormore filters to determine whether secured (split and encrypted) datapackets can be sent or received to/from a particular network address,and to determine whether secure or clear text data packets can beaccepted at the computing system implementing the communicationsinfrastructure 600. For example, if a data packet or message is receivedat the virtual secure network interface card 612 from an endpoint notincluded in an access list of a filter that defines permissions to thatendpoint or client device, the secure communications driver 610 willdiscard that packet, preventing it from reaching an application to whichit would otherwise be addressed or intended. Likewise, the securecommunications driver 610 can prevent communication of data packets toremote endpoint systems not authorized by the access lists in one ormore filters defined in the computing device.

The virtual secure network interface card 612 acts as a virtual versionof the physical network interface card 602, in that it receives datapackets formed at the secure communications driver 610 and instructionsfor where and how to transport those data packets. In certainembodiments, the secure communications driver 610 acts analogously to ahardware driver, but acts on the virtual secure network interface card612.

The network interface card driver 614 provides the link between thevirtual secure network interface card 612, and physical network adapter604 to allow communication of secured data packets with a remote system(e.g., an endpoint, gateway, or other remote system). In certainembodiments, the network interface card driver 614 acts as a piece ofhardware to the operating system of the computer implementing thecommunications infrastructure 600, for example to host the virtualsecure network interface card 612, and allow applications to transmitdata via that piece of virtual hardware.

In the embodiment shown, an optional second software stack 609 is alsoshown, which can be used concurrently with the first secure softwarestack 608. In the embodiment shown, the second software stack isconfigured to allow a different type of security, in which security isnot provided by data obfuscation on a packet-by-packet basis, but ratherby creating a secured connection to a dedicated endpoint. In the exampleembodiment shown, this second software stack 609 is configured to managecommunication via a virtual private network (VPN) connection, where asecure tunnel is formed between the computing system operating thecommunications infrastructure 600 and a predetermined, known gateway. Inthis embodiment, the second software stack 609 includes a VPN driver616, a virtual VPN network interface card 618, and a VPN communicationsdriver 620. The VPN driver 616 generates instructions for communicationwith a particular VPN gateway, and for constructing a secure tunnelbetween the computing system implementing the communicationsinfrastructure 600 and the VPN gateway (e.g., as illustrated below inconnection with FIG. 20). The virtual VPN network interface card 618,like the virtual secure network interface card 612, acts as a virtualversion of the physical network interface card 602, in that it receivesdata packets formed at the VPN driver 616 and instructions for where andhow to transport those data packets (e.g., via a secure tunnel). Thevirtual VPN network interface card 618, similar to the network interfacecard driver 614 acts as a piece of hardware to the operating system ofthe computer implementing the communications infrastructure 600, forexample to host the virtual VPN network interface card 618, and allowapplications to transmit data via that piece of virtual hardware toremote systems.

Overall, and referring to FIGS. 1-6 generally, it is noted that thecomputing systems and generalized example networks of the presentdisclosure generally provide infrastructure for receipt and managementof encryption keys specific to one or more communities-of-interest, anddistributed use of algorithms for encrypting and splitting data intoobscured data packets such that only those individuals having accessrights to that data can in fact reformulate the data upon receipt ofthose data packets. FIGS. 7-9 below briefly describe methods andarrangements for treatment of data packets sent and received from agateway, endpoint, or other computing device configured for securedcommunication using the cryptographic splitting and virtual networkarrangements of the present disclosure.

II. Methods for Secure Communication

Referring now to FIGS. 7-9, methods and systems for securelytransmitting data packets between computing systems are disclosed.Generally, the methods and systems illustrated in FIGS. 7-10 provide abrief overview of methods of handling data packets sent and receivedusing the computing systems and networks described herein, for examplethose discussed above with respect to FIGS. 1-6. Additional detailsregarding these methods and systems are disclosed in the copending U.S.patent application Ser. Nos. 60/648,531; 11/339,974; 11/714,590;11/714,666; and 11/714,598, listed above and previously incorporated byreference.

As used herein, a “message” or “data packet” refers generally to any setof data sent from one node to another node in a network. A message mayinclude different forms of data usually in some form of a payload. Amessage may be an e-mail, a video stream, pictures, text documents, wordprocessing documents, web-based content, instant messages, and variousother forms of data that when in plain text, or clear form, may revealconfidential and sensitive information. In most instances, thisinvention is concerned with securing data-in-motion, or in other words,cryptographic data or messages sent from one node to another node suchas data traveling from one location to another within one or morenetworks which may include the Internet.

FIG. 7 illustrates an exemplary method 700 for securely transmitting acryptographic data set among logically partitioned data paths. Thecryptographic data set can include, for example one or more encryptionkeys, filters, and other information useable at an endpoint or othercomputing device to enable that device to establish secure communicationwith a remote system (e.g., another endpoint, a gateway, or any otherremote device configured for cryptographically split communication).

In this method, in block 702, a cryptographic data set is divided into aplurality of portions, and tag values are assigned to each portion ofthe set. Each portion is encapsulated in separate packets. In block 704,the portions of cryptographic data set are transmitted from an egresspoint of a computing device, such as a network interface card asdiscussed above in conjunction with FIG. 6. On the receiving endpoint,in block 706, each portion of cryptographic data is received by a targetcomputing device. In one embodiment, as the packets received include anew community-of-interest key identifier embedded therein. In anotherembodiment, newly received packets do not include such a key identifier,and instead the receiving endpoint attempts to restore (reassemble) acryptographic data portion encapsulated in a payload portion of thepacket using a community-of-interest key accessed from the receivingcomputing device's repository. If there is only onecommunity-of-interest key present in the repository, the receivingcomputing will attempt to reassemble the cryptographic data portion(s)using the single key. If there are more than one community-of-interestkey in the receiving computing device's repository, the receivingcomputing device will iteratively try each key until it locates a keywhich is able to reassemble the cryptographic data portion(s).

However, if no identifier match is located in block 706, in Step 708each packet and hence portion of cryptographic data set received by thetarget device is discarded, erased, and/or ignored. This may represent asituation where the end-user of an endpoint does not have authorizationto view a message, because the end-user (or the end-user's computingdevice) lacks the requisite community-of-interest key, or if thetransmitting computing device is not included in a listing of permitteddevices at the target device.

If according to the Yes branch of block 706, a community-of-interest keymatching the identifier is located, or a community-of-interest key isidentified which is able to restore the payload portion of thepacket(s), then in block 710 each portion of the cryptographic data setis temporarily stored for eventual reassembly. At this point a tunnelcan be established between the sending and receiving computing devices.

In block 712, the cryptographic data set is decrypted. That is, thecryptographic data set is reconstructed (reassembled) by decrypting eachportion of the cryptographic data set using the community-in-interestkey identified in block 710. Once all portions of cryptographic data setare received, it is possible to fully reassemble the cryptographic dataset on the receiving computing device. The cryptographic data set is ina usable form for use to decrypt portions of a message received, whichwill be described with reference to FIG. 8.

FIG. 8 illustrates an exemplary method 800 for securely transmitting amessage among logically partitioned data paths, according to a possibleembodiment. Generally, method 800 occurs after a secure tunnel has beencreated, to allow transmission between two computing systems. Method 800includes blocks 802, 804, 806, and 808 (each of the blocks representsone or more operational acts). The order in which the method isdescribed is not to be construed as a limitation, and any number of thedescribed method blocks can be combined in any order to implement themethod. Furthermore, the method can be implemented in any suitablehardware, software, firmware, or combination thereof.

In block 802, a message is divided into portions, and tag values areassigned to each portion of the set. Each portion is encapsulated inseparate packets using a cryptographic data set at the sending computingdevice. For example, in one embodiment, an assignment module 562 (FIG.5) uses a cryptographic data set stored at the sending computing device(or as received, according to the method 700 of FIG. 7) to assign tagsto each portion of the message. Each tag contains metadata indicating atraffic path a particular portion of a message is to follow to a targetcomputing device within a network.

In block 804, the portions of cryptographic data set are transmittedfrom an egress point of a computing device. For example, portions ofcryptographic data set are transmitted from an I/O port 516 of computingdevice 500, separately. In one embodiment, transmitting the portionsseparately may include transmitting at least one portion of the messageat a different instance in time than at least another portion of themessage. In one embodiment, transmitting the portions of the messageseparately includes transmitting at least two different portions of themessage on at least two different data communication paths. For example,computing device 500 assigns a portion of message to a particular datapath based on the tag value. Tag values assigned to each portion ofcryptographic data may correspond to a particular communication datapath, to transmit the portion of cryptographic data set. In block 806,each portion of the message set is temporarily stored for eventualreassembly in some portion of memory 508 (FIG. 5) of a computing device.

In block 808, the message is put into a useable form. That is, themessage is reconstructed (reassembled) by decrypting each portion of themessage using the cryptographic data set. For example, security engine550 (FIG. 5) may use an assembler module 564 (FIG. 5) in conjunctionwith a cryptographic data set to reassemble portions of message receivedat different times, and/or via different data paths. Once all portionsof the message are received, it is possible to fully reassemble themessage in a usable form on the receiving computing device.

FIG. 9 illustrates an overall logical flow of how an original message orcryptographic data set (e.g., as in FIGS. 7-8, above) is split andencrypted according to the various embodiments discussed herein. Asillustrated, an original message 902 is combined with a preheader 904,and split into portions 906 by a splitting function 908. The splittingfunction 908 also acts to encrypt each of the portions, such that eachportion contains an obfuscated portion of the original message 902. Eachof the portions 906 are appended with an IP header 910. The IP header910 of each split portion identifies the set of data to which theportion 906 belongs. The various portions can then be passed from afirst computing system to a second computing system via a number ofdifferent routes, with the second computing system having a capabilityof reassembling that original message 902 (for example, due topossession of a complementary community-of-interest key or cryptographicdata set) at a reassembly function 912. In various embodiments, thesplitting function 908 and reassembly function 912 can be performed, forexample, by a security engine, such as engine 550 of FIG. 5, on anauthorized transmitting and receiving computing device, respectively. Incertain embodiments, the splitting function 908 and reassembly function912 use a strong encryption standard, such as AES-256 encryption. Othertypes of encryption standards and data splitting/dispersal operationscould be used as well.

III. Transaction Security Using a Secure Boot Device

Referring now to FIGS. 10-16, a particular embodiment of the distributedsystems discussed above is disclosed in which a secure connection can beestablished across a public network, such as the internet. In thisembodiment, generally a secure boot device can be used to create asecure environment at an otherwise untrusted computing device, which canin turn remotely access a trusted computing device. Such an embodimentcan be used, for example, to provide a secure portal to a centralizedtransaction processor, such as a banking institution, a governmentalinstitution, or other entity where in-transit data security isimportant.

Referring now specifically to FIG. 10, a generalized example of adistributed system 1000 is shown, using a secure boot device 1002,according to a possible embodiment of the present disclosure. In theembodiment shown, the distributed system 1000 includes a server 1004,such as a banking or government server. The distributed system alsoincludes one or more remote computer systems 1006, for examplecustomer-owned, employee-owned, or otherwise uncontrolled systems. Theserver 1004 can be any of a number of types of server systems capable ofreceiving transactions from the one or more remote computer systems1006, such as a web server or database server. In alternativeembodiments include more than one server and/or computer system 1006.

In certain embodiments, a client computer system 1006, also referred toherein as an endpoint or client computing device, can display a userinterface, such as web page 1008. The web page 1008 or other userinterface can display to a user details of a transaction 1005 takingplace at the server 1004, for example a financial transaction in thecase that the server 1004 is a banking server, or some other type oftransaction relating to an entity for which highly secure communicationsare desired. A secure connection 1010 is created between the clientcomputer system 1006 and the server 1004 to allow transmission ofdetails regarding the transaction over a public network, such as theinternet.

In order to create the secure connection 1010 in a form that may betrusted by the server 1004, in certain embodiments the client computersystem 1006 boots an operating system that is stored on a secure bootdevice 1002 attached to the client computer system 1006. This secureboot device 1002 stores a trusted version of operating system softwareand secure communications software used when the client computer system1006 establishes and performs the communications with the server 1004.In one embodiment, the secure boot device 1002 may correspond to a USBstorage device such as a Stealth M500™ from MXI Security. A copy of thedatasheet for the MXY M500 device is submitted alongside thisapplication, and incorporated by reference herein in its entirety. Insuch embodiments, the client computer system 1006 is a USB-bootablecomputing system capable of communication with a remote system, such asserver 1004, or a gateway providing access to the server havingcapabilities of communicating using the cryptographic splittingoperations discussed herein.

The secure boot device 1002 provides secure storage that preventstampering with the software loaded onto the device. This secure storagepermits the institution operating the server 1004, such as a bank orother financial institution, to load onto the secure storage a set oftrusted software modules that may limit the possible operations that aclient computer system 1006 may perform. For example, the softwaremodules can be configured to prevent the client computer system 1006from accessing non-secured network resources, and can limit otherperipheral communication channels (e.g., Bluetooth, serial connections,or other peripheral device connections), as well as prevent the clientcomputer system 1006 from executing application programs stored in amemory of the system itself. As such, the transactions 1005 may betrusted by both the user at the client computer system 1006, and theinstitution controlling the server 1004. In addition, the establishmentof the secure connection 1010 between the client computer system 1006and the server 1004 may be authenticated using identificationinformation stored upon the secure storage (e.g., acommunity-of-interest key) to increase the level of trust that the usercorresponds to a customer of the bank.

FIG. 11A illustrates a set of processing modules 1100 stored on a secureboot device 1002 according to yet another embodiment of the presentinvention. The set of processing modules 1100 are preferably stored in aread-write portion of memory of a secure boot device that can, forexample, be updated by a trusted network resource, as discussed below.When a user wishes to establish a secure connection 1010 to a server1004 using a client computer system 1006, the user boots the clientcomputer system 1006 from the secure boot device 1002. To ensure thatthe client computer system 1006 poses a minimized threat of harm to theserver 1004, a minimal set of software modules 1101-1104 are loaded whenthe client computer system 1006 boots from the secure storage device1002. This minimal set of software modules include boot software 1101, aclient terminal process module 1102, a small OS shell 1103 and securecommunications interface software module 1104. Other modules could beincluded as well.

In some embodiments, each of these modules 1101-1104 are read from asecure boot image 1006 on the secure boot device 1002 at boot time ofthe client computer system 1006. These modules 1101-1104 are storedwithin the RAM of the client computer system 1006 and executed while theuser communicates with the server 1004. Although in some embodimentsmodules 1101-1104 can be located in a read-only portion of memory of thesecure boot device 1002 and loaded from that location when the clientcomputer system 1006 is booted from the secure boot device, in otherembodiments, the modules 1101-1104 are stored in a read-write memory,allowing the modules 1101-1104 to be updated in parallel with executionfrom copies of the modules stored in RAM on the client computer system1006. Details regarding this feature are described in greater detailbelow.

The boot software 1101 comprises the software modules needed to load theother software modules into the RAM of the client computer system 1006.This module ensures that the secure boot image is a valid image beforethe modules are loaded. It may perform consistency checks to verify thatthe modules have not been modified prior to loading and use.

The client terminal process module 1102 comprises the process thatprovides a user interface to the user of the client computer system 1006as well as communications to the server 1004. In various embodiments ofthe present disclosure, the client terminal process module 1102 createsa communications session, accepts commands and inputs from the user, andinteracts with remote resources, such as web services or other datacommunication services, on the server 1004 to permit the user to performtransactions 1005. In various embodiments, this process may include aweb browser or other file access mechanism for interaction with a serverusing known Internet based protocols. In other embodiments, the processmodule 1102 may be a specialized client application that performssimilar communications and user controls. The process module 1102 maylimit a user's ability to input destination URLs and related serveraddresses into a browser, thereby allowing only use of one or moreaddresses preloaded into the secure boot device 1002 as an exampleadditional mechanism to enhance security.

The small OS shell 1103 comprises a stripped down version of a standardoperating system such as Linux™. For example, the small OS shell 1102can in some embodiments include only the supporting modules and driversnecessary to support the client terminal process 1102 and thecommunications interface module 1104 used to establish and utilize thesecure connection 1010 to the server 1004. All other modules thattypically are included in an operating system to permit the generalpurpose use of the client computer system 1006 as well as to initiatethe execution of any program stored on the client computer system 1006can be omitted. In one embodiment, the client terminal process module1102 will begin execution at the end of the boot process, and thusprovide the only means by which the user may use the client computersystem 1006 during its operation.

The communications interface software modules 1104 performs the securecommunications with between the client computer system 1006 and theserver 1004 and any security related processing. This may include, forexample, encryption and parsing as defined in the previously identifiedpatent applications that have been incorporated herein. This module mayalso be involved in the authentication of the client computer system1006 to the server 1104 as well as its current operation in a secure andtrusted state after having booted from the secure boot device 1002.

FIG. 11B illustrates storage and management of one or more processingmodules, such as modules 1101-1104, on the secure boot device 1002. Inthe embodiment shown, the secure boot device includes a read/writememory 1120 and a read only memory 1140. The read/write memory 1120includes an open read/write portion 1122 and a dedicated read/writeportion 1124. In certain embodiments, the open read/write portion 1122,the dedicated read/write portion 1122, and the read only memory 1140 areviewable to a user of a computing device as separate logical memoryspaces (e.g., separate drives); however, in other embodiments, thesepartitions could be considered separate directories or otherwiselogically distinct.

The open read/write portion 1122 generally is useable by a user to storeunsecured files, such as documents or files retrieved from websites bythat user while using the secure boot device. In some embodiments, theopen read/write portion 1122 is accessible for storage only when thesecure boot device 1002 is used to boot a computing system to which itis connected; in other embodiments, the open read/write portion 1122operates as a traditional storage device when the secure boot device1002 is inserted into such a computing system.

The dedicated read/write portion 1124 includes a plurality of softwaremodule storage areas in which different types of software can be stored.In the embodiment shown, the dedicated read/write portion 1124 includesa runtime content area 1126, a custom content area 1128, and first andsecond thin client operating system areas 1130, 1132. In alternativeembodiments, other storage areas could be used as well. Additionally, inthe embodiment shown, the dedicated read/write portion 1124 can besecured using a private partition key which can be used to decrypt thedata in the dedicated read/write portion 1124 upon receipt of a PIN orother credential.

In the embodiment shown, the runtime content area 1126 storesconfiguration information used locally on the secure boot device toindicate a configuration of the local device to be used when a computingsystem is launched using the secure boot device. In certain embodiments,the runtime content area is password protected, preventing anunauthorized user of the secure boot device 1002 from accessing thisconfiguration information, or rebooting a computing system using thesecure boot device.

The custom content area 1128 stores specific provisioning information,for example a location of a secure server to connect to, as well asvarious options for connection. The custom content area 1128 can alsooptionally store branding information, for example to indicate theparticular customer or entity distributing the secure boot device 1002to its employee or affiliate.

A first thin client operating system area 1130 can store a thin clientversion of an operating system, as well as one or more applicationscapable of running on that operating system. In some embodiments, thefirst thin client operating system area 1130 stores an embedded versionof an operating system, such as Windows XP Embedded, from MicrosoftCorporation of Redmond, Wash. Other embedded operating systems could beused as well. In some embodiments, the first thin client operatingsystem area 1130 also stores other application data, such as could beused to access remote websites or other remotely networked resources.One example of such an application is an Internet Explorer web browserprovided by Microsoft Corporation of Redmond, Wash. Other applicationscould be included as well.

The second thin client operating system area 1132 stores a second thinclient version of an operating system applications capable of running onthat operating system, as well as optionally one or more securitymodules configured to provide application-level access to securityfeatures useable on a computing system booted from a secure boot device1002. In this embodiment, the second thin client operating system area1132 can store, for example, an open source thin client operating system(e.g., Linux-based), as well as virtualization software, remote desktopsoftware, and browser software (e.g., Firefox or Chrome web browsers).The second thin client operating system area 1132 can also optionallystore one or more security applications allowing a user to control thesecure connection established with a remote server. For example, thesecond thin client operating system area 1132 can include Stealthapplications and driver software, as well as a remote update agentconfigured to manage updating of software on the secure boot device 1002in accordance with the methods and systems described below inconjunction with FIGS. 22-25.

The read-only portion 1140 stores one or more utilities intended to beused to establish secure connections, such as libraries and utilitiesconfigured to establish a cryptographically split connection with one ormore servers. In certain embodiments, the read-only portion 1140 storesan operating system kernel useable with thin client operating systemsoftware stored in the second thin client operating system area 1132.Additionally, in the embodiment shown, the read-only portion 1140 can besecured using a private partition key which can be used to decrypt thedata in the read-only portion 1140 upon receipt of a PIN or othercredential.

In some embodiments, in particular those described below in which updateof the secure boot device 1002 is performed, the dedicated read/writeportion 1124 also includes a replacement area 1150 for one or moreportions of the software stored therein. In the embodiment shown, areplacement custom content area 1128, and first and second thin clientoperating system areas 1130, 1132 are shown. In such embodiments, theseportions can be updated from a remote system, such as a remote updateserver or update enclave. Update agent software stored in the secondthin client operating system area 1132 can be used to track the statusof an update, such that the replacement software modules can besubstituted for the active software modules once fully downloaded from aremote system.

FIG. 12 illustrates a flowchart of a method 1200 for using a secure bootdevice, such as device 1002, to create a secure connection to a serveraccording to an embodiment of the present invention. In the embodimentshown, a four step process is used; however, in alternative embodiments,more or fewer steps could be performed. The method 1200 begins with auser suspending the operation of a client computer, such as clientcomputer system 1006, by halting the operation of its standard operatingsystem in step 1201. In one embodiment, a client computer system 1006typically runs a version of the Windows™ operating system from theMicrosoft Corporation; however, in alternative embodiments, differentoperating system software could be executed on the client computersystem 1006. Irrespective of the particular operating system used, theoperating system of the client computer system 1006 is halted in orderto permit the client computer system 1006 to reboot using the secureboot device 1002, i.e., the small OS shell 1103.

A user attaches the secure boot device 1002 to the client computersystem 1006 and the computer is rebooted in step 1202. If the secureboot device 1002 corresponds to a USB memory stick, the device is merelyinserted into a USB port on the client computer system 1006 prior torebooting the computer. Other arrangements are possible as well,depending upon the particular format taken by the secure boot device.When the client computer system 1006 is rebooted, it is instructed touse the operating system image stored on the secure boot device 1002that causes the trusted system software to be loaded and the clientterminal process module 1102 to be executed.

In step 1203, the user provides additional information to the clientterminal process module 1102 used in the authentication process as asecure connection 1203 is established between the client computer system1006 and the server 1004. A secure connection 1010 is then establishedusing the information from the secure boot device 1002. The user may nowuse this secure connection 1010 in step 1204 to perform bankingtransactions on the server 1004. Once all of these transactions arecompleted, the user may shut down the client computer system 1006 andreboot into its standard operating system, returning the client computersystem 1006 to normal operation. This shut down process terminates thesecure connection between the client computer system 1006 and the server1004, restoring the functionality of the operating system normallyexecuting on the client computer system 1006.

Referring now to FIGS. 13-15, a set of possible embodiments ofdistributed processing system using a secure boot device to create asecure connection to a server are shown. In these multiple alternateembodiments, a client computer uses the previously described processesof establishing a secure connection to a server via a wide area network(WAN) after the client computer boots from a secure boot device.Typically, the WAN connecting these computers corresponds to the publicInternet, although any communications may be used. The client computers,according to the embodiments shown, generally interact with a secureappliance to provide a trusted connection to a service provider, such asa bank, data center, or other facility or entity desiring securedcommunications. The security related operations of encryption andparsing of the data, as described within the previously identifiedpatent applications are performed in the various illustrated clientcomputers and the secure appliances.

FIG. 13 illustrates a distributed processing system 1300 useable inconnection with a secure boot device to create a secure connection to aserver according to a first of these possible embodiments. Thedistributed processing system 1300 is, in the embodiment shown, oneexample distributed, networked arrangement that can be implementedaccording to the generalized discussion in conjunction with FIGS. 10-12,above. In the embodiment shown, the distributed processing system 1300includes a pair of client locations 1302 a-b. Each client location 1302includes one or more client computing devices 1304, which can join asecured distributed processing system using secure boot devices 1306. Inthe embodiment shown, client location 1302 a includes a network addresstranslation (NAT) module 1308 and a DHCP module 1310, capable of localdomain and network address resolution at the local client site 1302 a.Optionally, other client locations, such as client location 1302 b, caninclude this or other networking functionality as well.

Each of the client devices 1304 are configured to be capable ofaccessing a remote location 1312, such as a central office orinstitution hosting a resource to be accessed. In the embodiment shown,the remote location 1312 is a data center that includes an entityintranet 1314, such as a data center network or other set of resources,that is accessible via a web application 1316. Other types of remotelocation resources could be made available as well. Each of the clientdevices 1304 connect to the remote location 1312 via an open network,illustrated as the internet 1318.

At the remote location 1312, typically one or more access devices,illustrated as a network management system 1320, generally receivesclear text communication from the internet 1318, for example relating totypical, unsecured communication of data. This is illustrated by thesolid line extending from the internet cloud 1318 to the networkmanagement system 1320. The network management system 1320 can perform avariety of operations on inbound and/or outbound data, such as packetinspection and routing, load balancing across one or more computingsystems and/or workloads, and firewall operations. Additionally, theremote location 1312 can include one or more secure gateway devices 1322configured to perform cryptographic splitting and encrypting operations,to allow for secured communication with clients 1304 via a WAN, e.g.,the internet 1318 (illustrated by broken line connections). The securegateway devices 1322 can receive the split and encrypted data at via theinternet 1318, recompose that data into original, clear text data, andforward it to other portions of the remote location 1312 as desired(e.g., to the network management system 1320 for handling).

In some embodiments, a number of secure gateway devices 1322 areaccessible external to the remote location 1312. For example, in someembodiments, a separate secure gateway device 1322 could be madeavailable for every defined community of interest, such thatcommunications for a particular group of users are routed from a commongateway. In other embodiments, secure gateway devices dynamicallyallocate connection bandwidth to client devices 1304 based on currentbandwidth use, and connect to client devices 1304 associated with usersin a number of communities of interest. Other arrangements of gatewaydevices are possible as well.

Additionally, at the remote location 1312, an authentication system 1324can be included which includes one or more provisioning and managementtools for managing memberships in communities of interest, as well asresources accessible by individuals associated with those communities ofinterest. The authentication system 1324 can, in certain embodiments, beconfigured to authenticate a user of a client device 1304 and associatedsecure boot device 1306. The authentication system 1324 can beconfigured to, for example, receive username and password,cryptographically-signed certificate, or PIN or other information from auser of a client device 1304 seeking to connect to the remote location1312 via a secure connection, and can transmit one or more encryptionkeys to the client 1304, such as an encrypted session key or otherinformation from a cryptographic data set, as discussed above inconnection with FIG. 7.

It is noted that data connections between the secure gateway appliance1322 and a local server, such as the authorization server 1324, istypically trusted because of its co-location within a data center or theuse of a secure connection that is otherwise trusted. The secure gatewaydevice 1322 typically involves the use of encryption keys that areassociated with the identity of particular users. These keys may consistof public key encryption keys that would use a set of keys at the client1304, and a corresponding set of keys at the secure gateway device 1322.The set of keys used by the client 1304 may be stored on the secure bootdevice 1306 and are not accessible by the user. As part of theauthentication process, the stealth authorization server 1324 may beused to perform any desired authentication and then identify the neededencryption keys that are needed by the secure gateway device 1322 foruse in performing the secure communications.

In use, typical client operations contacting the remote location 1312can be performed using clear text communication. However, when a userwishes to perform one or more sensitive transactions involvingconfidential data, that user can reboot his/her client 1304 at theclient location 1302 using a secure boot device 1306 as discussed above.Software modules from the secure boot device 1306 are loaded at theclient 1304, and optionally a user is prompted to enter his/herusername, certificate, or other credentials. Upon authentication of thatuser, the client 1304 will form a secure connection with a securegateway device 1322 that is either defined in memory of the secure bootdevice 1306 or received via the authorization server 1324. The secureboot device 1306 will dictate communication with only the remotelocation 1312, and will require communication to occur via the securegateway devices 1322. Accordingly, implementation of the distributedprocessing system 1300 allows an entity to protect sensitive data beingpassed over public, IP-based networks.

It is noted that, to devices communicating via the internet 1318 usingclear text communications, the various devices communicating only viasecure communication protocols of the present disclosure (e.g., a client1304 when securely booted using a secure boot device 1306, a gatewaydevice 1322, or the authorization server 1324 in the embodiment shown)appear non-responsive to other devices connected to the internet 1318.For example, the authorization server 1324 may not respond tocommunications in clear text, and one or more gateway devices may simplyforward data received in clear text to the network management system1320. This includes both clear text devices, as well as other clientsand/or gateway devices operating using only a different set ofcommunity-of-interest keys. This prevents unauthorized access to thedata as transmitted, or “data in motion”, within the distributed system1300. Additionally, it prevents network browsing and malware injectionsby unauthorized systems via the internet 1318.

Referring now to FIG. 14, a second example of a distributed processingsystem 1400 useable in connection with a secure boot device to create asecure connection to a server is shown. In this embodiment, thedistributed processing system 1400 represents an arrangement in whichthe secure connection into an intranet of a remote system is provided asa managed service, i.e., by an entity other than the administrator ofthe intranet within which the secured, community-of-interest protectedresources reside. In this embodiment, the authorization server 1324exists connected to the internet 1318, separate from the remote location1312. In this second embodiment, a trusted connection from a securegateway appliance 1322 and the authorization server 1324 may be needed.In both of these cases, the secure gateway appliance 1322 is physicallyconnected via intranet 1318 to the server providing the web application1316. Additionally, one or more external secure computing resources 1402can be included in the distributed processing system 1400 and use ofthose systems could be authenticated by the authorization server 1324 inthis embodiment, because it is not specifically only affiliated with theremote location 1312, but instead can transmit secure messages andprovide authentication via the internet 1318.

Referring now to FIG. 15, a third example of a distributed processingsystem 1500 useable in connection with a secure boot device to create asecure connection to a server is shown. In this distributed processingsystem, the secure gateway system 1322 is physically located in a localintranet of a managed service provider 1502. A managed service provider1502 can be, for example, an entity configured to manage resourcesneeded to administer communities-of-interest, encryption keys, accesscontrol lists, and other information typically managed by anadministrator of a local intranet. In the embodiment shown, thedistributed processing system 1500 includes a client 1304 and associatedsecure boot device 1306 as discussed above; the distributed processingsystem also includes a remote location 1312, in this embodiment being acustomer of the managed service provider 1502. In the embodiment shown,the remote location 1312 includes an analogous entity intranet 1314,such as a data center network or other set of resources, which isaccessible via a web application 1316. The remote location 1312 alsoincludes a network management system 1320, for example for loadbalancing and routing of data within the intranet.

As compared to the two prior embodiments, in this embodiment the managedservice provider 1502 is illustrated as including a separate serviceenclave 1504 and a customer enclave 1506. As referenced in the presentdisclosure, an “enclave” generally refers to a particular area ornetwork of one or more computing systems defined by function.

Generally, the service enclave 1504 includes one or more computingresources configured to be managed by the managed service provider 1502,including management of community-of-interest keys, memberships incommunities of interest, authentication of users and granting of accessto resources in a secured location. In the embodiment shown, the serviceenclave 1504 includes a service appliance 1508, an administrationappliance 1510, an authorization server 1512, and a DHCP server 1514.

The service appliance 1508 is generally an appliance having a knownaddress, such that instructions stored in a secure boot device (e.g.device 1306) include an address for that appliance, to allowauthentication of a user of the device. The service appliance 1508receives initial connection requests from one or more clients 1304, andestablishes an encrypted connection to the client 1304 to provide theclient with its one or more community of interest keys, and othersecure, community-of-interest-specific information. In certainembodiments, the service appliance 1508 is accessible using either anadministration community-of-interest key or a service key. The servicekey can be, for example, a key provided to users, e.g., stored in aread-only portion of the secure boot device, such that the boot deviceitself is authorized to and configured to connect to the serviceappliance 1508 to obtain one or more community-of-interest keystherefrom.

The administration appliance 1510 provides access to the service enclave1504 for administrative tasks related to the service enclave 1504 andcustomer enclave 1506. Example tasks performed via access to theadministrative appliance include, for example configuring addresses ofgateway appliances, configuring membership lists in one or morecommunities of interest and keys associated with those communities ofinterest, logging events, creating and managing virtual private networkswithin the customer enclave 1506, and other tasks. In some embodiments,a user requires an administration community-of-interest key to accessthe administration appliance 1510, to prevent unauthorized access bycustomers or other unauthorized individuals.

The authorization server 1512 manages keys associated with each of theone or more communities of interest associated with the customer enclave1506. The authorization server 1512 receives login information from auser of a client 1304 and associated secure boot device 1306, andreturns the COI keys and identity of the secure gateway appliance towhich that user is authorized to connect (discussed below). The DHCPserver 1514 manages addressing of systems within the service enclave1504, providing IP addresses for resources accessible via the serviceappliance 1508.

The customer enclave 1506 includes a secure gateway appliance 1516, aswell as a network addressing table (NAT) 1518. The secure gatewayappliance 1516 provides an endpoint to which all secure communicationsfrom the client 1304 are directed, while the NAT 1518 receives cleartext communications from the client 1304 or remote location 1312.Preferably, the resources accessible via the secure gateway appliance1516 and the NAT 1518 are not coextensive, i.e., no clear textcommunications via the NAT reach the network resources specificallyassociated with the community-of-interest enabled at the client 1304 andthe secure gateway appliance 1516. In the embodiment shown, a DNS server1520 and DHCP server 1522 are included at the customer enclave 1506. TheDNS server 1520 allows definition of one or more virtual privatenetworks among computing resources in the customer enclave 1506, therebyallowing for segregation of computing resources on a community ofinterest basis within the customer enclave. The DHCP server 1522 allowseach endpoint connecting to the customer enclave 1506 to acquire asecured private network address to be used in the customer's securedportion of the customer intranet within the customer enclave 1506.Static routes are configured via the DHCP server 1522 to allow TCP/IPpackets from a client to be properly routed to the customer intranet.

It is noted that in the example of FIG. 15, the secure gateway appliance1516 can be used, not only by more than one community of interest withina particular entity as discussed above with respect to FIGS. 13-14, butcan also be addressed by multiple different, unaffiliated customers ofthe managed service provider 1502. Accordingly, additional remote sites1312 and clients 1304 could be incorporated as well.

For example, a first client 1304 may be affiliated with a first entity,and a second client may be affiliated with a second entity. To initiatesecure communication with that user's specific resources within thecustomer enclave, both clients would first access the service enclave1504, via the service appliance 1508, using the same service key. Uponvalidation, each of the first and second client would retrieve its ownrespective community-of-interest keys associated with the users of thoseclients, e.g., based on his/her roles relative to the entity with whichthose users are affiliated. The service enclave 1504 can be configuredto provide relevant community-of-interest keys related to users of boththe first and second clients to the secure gateway appliance 1516, or todifferent gateway appliances associated with the same customer enclave1506. When each respective user is validated and accesses his/hercommunity of interest keys (e.g., via the methods and systems of FIG.12, above, or FIG. 17, below, that user can initiate communication witha secure gateway appliance 1516 using the community-of-interest key toaccess user- and entity-specific resources (e.g., virtual private LANs,SANs, or other resources) managed within the customer enclave 1506.

Once a secure connection is established, data is routed to a securegateway appliance 1516 for communications with the server 1524 at thecustomers intranet (e.g., intranet 1314) running the web serviceapplication 1316, the banking application for example. In this thirdembodiment, the server 1524 may be located in a separate location on theInternet. A separate secure connection may be used to connect the securegateway appliance 1516 and the server 1524.

FIG. 16 illustrates a flowchart 1600 of creating a secure connectionaccording to an embodiment of the present invention. The flowchart 1600outlines example steps taken by a user, a customer facility, and one ormore configuration devices or entities (e.g., an entity responsible forconfiguring authentication of the user within a virtual networkaffiliated with the customer facility). A configuration data collectionoperation (step 1602) involves

A BIOS modification operation (step 1604) involves modifying a BIOSconfiguration setting within a BIOS of a computing system, such that thecomputing system can be used as a terminal to connect to a remoteserver, for example to conduct transactions with a bank or otherfinancial institution. In general, the BIOS modification operationinvolves assigning a boot order to devices associated with the computingsystem operated by the user (e.g., client 1304). In some embodiments,the BIOS modification operation enables the client computing system toboot from a USB device, such as the secure boot device described in someembodiments above.

A terminal launch operation (step 1606) corresponds to a user insertinga USB-stick boot device into a USB port of a computing system, andrebooting the computing system via that particular secure boot device.The terminal launch operation further includes, upon the computingsystem booting from the secure boot device, entering one or more typesof user credentials when prompted by the computing system, for exampleto validate the user's identity (e.g., using a username and password,cryptographically-signed certificate or PIN number security system).

A location selection operation (step 1608) allows a user to select aparticular location to which to connect. For example, the locationselection operation may in certain embodiments allow a user to select aparticular branch of an institution, or a particular region, or aspecific division of that institution. In any event, selection of alocation via the location selection operation allows the method 1600 todetermine the particular secure gateway device to which the clientcomputing system will connect. If the user elects to add a new location,a new location operation (step 1610) receives network and configurationdata for that new location. The new location can, for example, be aparticular branch or other division of the institution to which securetransactions are desired for that user; in the context of the presentdisclosure, a new location will typically be a location having aseparate secure gateway device; however, other arrangements are possibleas well for defining a new location.

A terminal initiation operation (step 1612) presents a welcome screen toa user, and transmits to the user via a SSL or other tunnel-basedconnection the one or more community of interest keys associated withthat user. Alternatively, in some embodiments, the community-of-interestkeys are stored on the secure boot device, and the terminal initiationoperation can send a decryption key to the now-secure-booted clientcomputing system to decrypt and access those community-of-interest keys.

A secure tunnel operation (step 1614) sets up a secure tunnel betweenthe client computing system and the designated location (e.g., anaddress of a secure gateway device) using the one or more community ofinterest keys and other encryption information associated with thatuser. If necessary, the one or more community of interest keysassociated with the user are transmitted from an authorization server tothe identified secure gateway device, allowing that device tocommunicate with the client computing device, thereby enabling thesecure connection between those devices via the internet.

A login operation (step 1616) receives login information from a user,for example a username and password, a cryptographically-signedcertificate, or PIN-based authorization. The user is validated, and canconduct one or more transactions at a transactions operation (step1618), which corresponds to execution of one or more transactions at acustomer facility.

While the above embodiments of the present invention describe theinteraction of a client computing system and a server computing systemover a secure communications connection, it is recognized that otherarrangements for secure connection and communication between a clientdevice and server system or dedicated customer resource is possible. Aslong as a secure boot device, such as a USB memory stick, as describedherein, is used to boot the client computer and to create the connectionwith the server, the present invention to would be useable in performingsecure transactions. Additionally, any of a variety of methods forsecuring an otherwise unsecure terminal could be used as well. It is tobe understood that other embodiments may be utilized and operationalchanges may be made without departing from the scope of the presentinvention.

Referring generally to FIGS. 10-16, it is recognized that using thesecure communications infrastructures discussed herein, a number ofadvantages are obtained over existing secure connections. For example,using the secure boot devices and resulting secure terminal connectionto resources over a public network (e.g., the Internet), a user is stillable to maintain a trusted, virus-free computing system at a clientsite, despite potential corruption issues both relating to datatravelling over the open network and data stored at the client device(e.g., on a hard drive of the client device). This reduces the risk ofvarious types of phishing, eavesdropping, and screen- or keystrokerecording, because the institution to which a client user connectsreliably knows what software is operating at that client device.

IV. Coexistence of Secure Tunnels with Internet-Based Infrastructure

Referring now to FIGS. 17-21, example methods and systems are disclosedrelating to a further possible embodiment of the present disclosure inwhich a secure tunnel connection, such as those described above usingcommunity-of-interest based encryption and segregation of resources, canbe used in conjunction with clear text communication to apublicly-available resource, such as an internet site. FIG. 17illustrates a basic example network in which such an arrangement mayoccur, while FIGS. 18-19 illustrate particular example networks similarto the managed service network described above in FIG. 15, in which sucha hybrid secured/unsecured arrangement is managed. FIGS. 20-21illustrate example methods for managing concurrent secure and unsecuredconnections at a client device.

Referring now to FIG. 17, an example network 1700 is shown in whichsecure tunnels can coexist with clear text communication, according to apossible embodiment of the present disclosure. In the network 1700, aclient device 1702 connects to a secure appliance 1704 via an opennetwork, such as the internet 1706. One or more public sites 1708 arealso available to be accessed from the client device 1702.

In this embodiment, client device 1702 corresponds generally to anycomputing system capable of secure communication usingcommunity-of-interest based security and the cryptographic securityarchitecture generally described above in connection with Section I. Theclient device 1702 can be, for example a computing system as discussedin connection with FIGS. 4-6. The secure appliance 1704 can alsogenerally be any secured endpoint or gateway device, such as thosedescribed above.

In the embodiment shown, the client device 1702 includes one or morecommunity-of-interest keys 1710 and an associated one or more filters1712. In one embodiment, each community-of-interest key has anassociated filter; in other embodiments, different numbers of keys andfilters can be used.

Generally, the community-of-interest keys 1710 stored on the clientdevice 1702 are used to cryptographically split messages passed to aparticular endpoint known to be capable of reconstituting those messagesfor use at an opposite end of an unsecured network, so as to providesecurity between the two endpoints. In certain embodiments disclosedherein, an additional clear text community-of-interest key can be usedwhich, when associated with a particular message, allows forcommunication of clear text messages concurrently with use of securecommunication (including use of the secure software stack 608 of FIG.6).

Optionally, associated with each of the community-of-interest keys 1710,a filter 1712 can be defined, for example by an administrator of asecure network, using a provisioning utility of an administrationappliance. The filter 1712 defines one or more permissions associatedwith each community-of-interest key 1710. Each filter can take a varietyof forms. In one example embodiment, a plurality of filters can bedefined in an XML file associated with each community of interest, andwhich are delivered to a user alongside any relatedcommunity-of-interest key(s). For example, a filter can define a key byits key name, and then define an allowed access list of IP addressesrelating to endpoints that the client device 1702 is permitted tocommunicate with using the identified key, or optionally an “exclusions”access list of IP addresses relating to endpoints that the client device1702 is not permitted to communicate with. An example of a portion of afilter 1712 is illustrated below, in which two community-of-interestkeys are defined:

<tuples> <key id=ClearText1> <type>5</type> <keyName>keyname</keyName><denyAccessList> <IPAddress name=”*”> <exceptFor count=”1”> <IPAddressname=”121.15.20.31” /> </ exceptFor> </IPAddress> </denyAccessList></key> <key id=Stealth1> <type>0</type> <keyName>keyname</keyName><hostIP> 139.72.10.10</hostIP> </key> </tuples>

In this example, a clear text filter, defined as “ClearText1” allows anassociated endpoint to communicate with any endpoint except for one ataddress 121.15.20.31, which is included in an exclusions list (deniedaccess). Further, a second filter, defined as “Stealth1”, has nospecific exclusions or limitations on where it can or cannot transmitmessages, but is specifically instructed that it has a “home” gatewaylocated at 139.72.10.10. If both of these filters are associated withthe same user, that user could communicate with a number of networkaddresses via clear text, while also communicating with various networklocations via the secured connection and community-of-interest keyassociated with the “Stealth1” filter, including the endpoint or gatewayat 139.72.10.10. Other example filters could be defined as well, forexample to exclude clear text communication from occurring to the sameendpoint to which secured communication is directed from a given clientdevice.

In some embodiments, client device 1702 can include an application 1714that runs as a background process and which manages selection of one orboth of clear text and cryptographically secure communication settings.In such embodiments, client device 1702 can be configured to selectivelyallow or disallow use of one or more clear text or secure filters bydisabling that type of communication at the application level. Inadditional embodiments, the client device 1702 is by default configuredto include a clear text filter, and does not need to retrieve thatfilter from a remote system such as an authorization server. Once theauthorization server in fact authorizes the client device 1702 forcryptographically secure communications and community-of-interest keysare provided to that client device 1702, the clear text filter may bemodified, for example to prevent clear text communication to a knownsecure appliance 1704 configured to communicate with the client device1702 using cryptographic security. Other embodiments are possible aswell in which the clear text filter is selectively provided to eachclient device 1702 by an authorization server as needed/desired.

Additionally, in some embodiments, secure appliance 1704 or clientdevice 1702 can generate a tunnel status report 1716 relating toactivity at the secure appliance 1704, either specifically relating toclient device 1702 or generally relating to any client devicetransmitting packets to the secure appliance. Example informationincluded in the tunnel status report 1716 can include, for example, acurrent connection status and keys used for connection to the secureappliance by one or more client devices. Other information can beincluded in the tunnel status report as well.

As can be seen from this key/filter arrangement, the network 1700provides added functionality to existing secured networks (e.g., VPN)which route all traffic via a secure tunnel when such a tunnel has beenformed between endpoints.

Furthermore, as compared to the secure transactional systems describedabove in connection with FIGS. 10-16, in this arrangement, a user of aclient device is not precluded from accessing unsecured resources;accordingly, a user of a secure boot device or other system thattypically prevents communication other than to a particular gateway orserver of an institution can use the methods and systems discussedherein to also allow access to all or selected publicly available sitesaccessible via clear text browsing.

Referring now to FIG. 18, a distributed system 1800 is illustrated inwhich secure tunnels and clear text communication can exist, accordingto a possible embodiment of the present disclosure. In this embodiment,the distributed system 1800 generally illustrates use of concurrentclear text and secured communications from the same endpoint whileconcurrently using a secure managed service network. This arrangementmay be implemented, for example, by one or more companies or otherentities wishing to communicate from a trusted intranet to a remotelymanaged network application via an open network. In cases such as thatdepicted in FIG. 18, where that remotely managed network applicationmanages sensitive data, a secure communication arrangement is desiredbetween the local intranet and that remotely managed application, butconcurrent normal, clear text access to a public network site (e.g., anaddress accessible via clear text on the internet) is desired as well.

In the embodiment shown, the distributed system 1800 includes a set ofclient devices 1802, each located in customer local area networks 1804a-b. Both customer local area networks 1804 are connected to a serviceenclave 1806 and a customer enclave 1808 via a public network, shown asthe internet 1810. The internet 1810 additionally connects the localarea networks 1804 a-b to a variety of publicly-available internetsites, in the example shown as public internet site 1812. Additionally,one or more client computing systems 1802 can be directly connected tothe internet 1810 without being a part of a customer local area network1804, for example a home user or other remote access user wishing toaccess applications or resources managed at the customer enclave 1808.

The service enclave 1806 includes a plurality of computing devices,depending upon the particular requirements of the managed entities. Inthe embodiment shown, the service enclave includes a service appliance1814, and a plurality of computing devices 1816 a-d. In variousembodiments, one or more of the computing devices 1816 a-d can includean administration gateway including a provisioning tool, by which anadministrative user can define and provision one or more other gateways,endpoints, and network resources. Others of the computing devices 1816a-d can be an authorization server configured to provide authenticationof users connecting to the service enclave 1806 via a service gateway.Still other computing devices 116 a-d can provide DHCP or other networkrouting services.

The customer enclave 1808 includes a customer appliance 1818 as well asa plurality of computing devices 1820 a-b. In various embodiments, thecustomer enclave can be managed by the one or more computing devices1816 a-d of the service enclave to form one or more virtual privatenetworks, with each such network associated with a particular communityof interest. Each community of interest can be specific to one of thecustomers (e.g., a separate community of interest for each customerlocal area network 1804 a-b, respectively), or based on an identity of auser within those networks. Accordingly, the generalized networktopology of the distributed system 1800 is similar to that illustratedabove in conjunction with FIG. 15, but is adapted for use by either anuntrusted client device and associated secure boot device, or for secureaccess from a trusted client, such as a client within a trusted clientintranet (e.g., customer local area network 1804).

In general, the key and filter arrangements of the present disclosureallow concurrent access to both secured systems, such as those at theservice enclave 1806 and customer enclave 1808, as well as to publicinternet site 1812, as desired. To allow a particular user access toboth secured and unsecured resources, that user must simply be includedwithin a secure communities of interest and a clear text community ofinterest, such that the client computing system associated with thatuser will receive a community-of-interest key, as well as one or morefilters defining allowed secure and clear text communication. Dependingupon the definitions included in the filter associated with thecommunity-of-interest key, the user may be allowed partial or full cleartext communication capabilities, while concurrently communicatingsecurely with one or both of the service enclave and customer enclave.

FIG. 19 illustrates a more particular example of a distributed hybridsystem 1900. In this example, a network topology is illustrated thatallows use of any of clear text, virtual private network, or secureconnections, using the distributed systems of FIGS. 17-18, according toa possible embodiment of the present disclosure. In this system, a usercan connect to a private cloud, such as a customer enclave 1902, via apublic network such as the internet 1904, using one or both of a VPNconnection and a cryptographic, community-of-interest-based connectionaccording to the principles of the present disclosure. In the embodimentshown, a client device 1906 is configured at a customer intranet 1907with both a “stealth” based cryptographic splitting virtual adapter anda virtual private network virtual adapter. This can correspond, forexample to the network interface infrastructure illustrated in FIG. 6,described above, in which first and second secure communication stacks608, 609 are implemented.

The customer enclave 1902 includes, in the embodiment shown, a DHCPserver 1908, a domain server 1910, a stealth server 1912, and anapplication server, shown as Exchange server 1914. Other networkresources could be included in the virtual private network as well. Fromthe internet 1904, the virtual private network 1902 can be accessed viaeither VPN server 1916, or a secure appliance (e.g., from secureappliances 1918 a-b). Additionally, one or more public internet sites1920 are available to a client device 1906 via the internet 1904.

In this example configuration, the client device 1906 is configured withboth a Stealth virtual adapter (illustrated as being assigned IP address172.30.0.100) and a VPN virtual adapter (illustrated as being assignedIP address 172.31.0.110). The client device 1904 is further configuredwith a clear text filter, analogously to the example of FIG. 17, toallow access to the public internet sites 1920 via clear text, and tothe VPN server 1916. Additionally, the physical adapter with the NATassigned IP address (10.0.0.11) is used for local communications toother endpoints in the NAT subnet, e.g., at the same location as theclient device 1906.

In certain embodiments, the customer enclave 1902 includes a DHCP server1908 to allow the client device 1906 to acquire a Stealth VPN address tobe used in the Stealth-enabled portion of the customer's intranet 1907.Static routes are configured via the DHCP server 1908 to allow TCP/IPpackets on the endpoint to be properly routed to the customer intranet1907. The destination IP address/subnet in the customer intranet isconfigured with a static route so Windows TCP/IP selects the correctvirtual adapter. For example, if the client device 1906 is using thesecure appliances 1918 as a destination, then the stealth virtualadapter must be selected by Windows TCP/IP stack in that client device.If the destination is using the VPN path (i.e., via VPN server 1916),then the VPN virtual adapter must be selected by Windows TCP/IP.

Referring now to FIGS. 20-21, methods for authenticating a system foruse of coexisting stealth-enabled and clear text tunnels are described,as well as for configuring a distributed system including such tunnelsusing a provisioning utility. FIG. 20 illustrates a flowchart of amethod 2000 for authenticating a client device, such as an endpoint, foruse of coexisting secure and clear text tunnels, according to a possibleembodiment of the present disclosure. The method 2000 generallycorresponds to a client device requesting authorization from anauthorization server, such as may be located within a service enclave ofa managed environment, to communicate with one or more other endpointsor gateway devices using secure, stealth-based communication and cleartext communication to other locations in an open network.

The method 2000 is initiated, a request is transmitted for authorizationof a user from a client device to a service enclave, for example to theauthorization server (step 2002). The request can include, for example auser identifier and password or other authentication information, suchas a PIN based authentication.

At an authorization server, the identification of the user of the clientdevice is checked against a list of communities of interest that aredefined using a provisioning utility at the service enclave. Once theclient device associated with the user is authorized, it receives one ormore community-of-interest keys and filters defining connection rightsfrom a remote system (step 2004), such as an authorization server via aservice appliance, as discussed above. The community-of-interest keysand filters define the available endpoints to which the client devicecan communicate and receive communication, both in stealth-enabled(cryptographic) and clear text.

Once the client device has received the community-of-interest keys andfilters, it can communicate using the community-of-interest keys aslimited by the associated filters. In step 2006, the client device cantransmit one or more messages to one or both of clear text orcryptographically-enabled endpoints using a clear text or secure filteralongside a specified community-of-interest key, if that message (cleartext or cryptographic) is allowed based on the defined access lists(both inclusion and exclusion permissions) in the associated filter. Instep 2008, the client device can also receive one or more messages fromone or both of clear text or cryptographically-enabled endpoints. It isnoted that, even if the remote endpoint transmits a message in cleartext or using a community of interest key available on the endpoint, thecommunications software stack at the client device will discard themessage if received from an unauthorized remote endpoint, as defined inthe filters received at the client device.

FIG. 21 illustrates a flowchart of a method 2100 for configuring adistributed system including coexisting secure and clear text tunnelsusing a provisioning utility, according to a possible embodiment of thepresent disclosure. The method 2100 can be used, for example toassociate users with communities of interest and defining filters to beassociated with those communities of interest, thereby controllingaccess to endpoints (clear text and cryptographically secured) for thatparticular user. The method 2100 can be performed, for example, using anadministration appliance, such as those discussed above in connectionwith FIGS. 15 and 18.

The method 2100 is initiated by opening a provisioning utility, such ascan be made available via an administration appliance of a serviceportal, and defining one or more communities of interest and filtersassociated with those communities of interest using the provisioningutility (step 2102). This can include, for example, using a provisioningtool of an administrative gateway to define communities of interest andfilters, as discussed above in connection with FIGS. 17-18.Alternatively, the one or more communities of interest can be definedbased on a user's membership in another user group, such as a definedgroup within Active Directory. In such an arrangement, those predefinedgroups could be associated with particular keys, filters, and accesspermissions using the provisioning utility.

After the distributed system is provisioned, a service enclave canreceive an authorization request from a client device or endpoint (step2104). The service enclave typically establishes a secure connectionwith the client device using a service key to maintain encryption. Theservice key can, for example be stored in an obscured location at aclient device. In one example embodiment, the service key can be storedin a registry entry at a client device. In another example embodiment,the service key could be stored within a read-only or read-write memoryof a secure boot device, such as a device as described above inconnection with FIGS. 10-16. Other storage arrangements for the servicekey could be used as well.

A set of communities-of-interest are determined to be associated withthe user of the client device (step 2106), for example at theauthorization server. The authorization server returns thecommunity-of-interest keys and filters, alongside any other informationin a cryptographic data set, to the client device (step 2108), for usein establishing a secure connection with a customer enclave.

Although in FIGS. 20-21, a particular order of operations isillustrated, it is understood that other arrangements of these methodsare possible. Additionally, more or fewer steps could be used toaccomplish the provisioning and access methods described herein.

Overall, referring to FIGS. 17-21, it can be seen that using thecommunity-of-interest keys and filters, alongside the communicationsinfrastructure provided at a computing system as discussed above inconnection with FIGS. 4-6, a user can be enabled to communicate viaclear text with selected public sites via the internet whileconcurrently communicating via cryptographic security features withother secure endpoints. This allows even trusted terminals, such asthose using secure boot devices described above in connection with FIGS.10-16, to perform both dedicated secure operations and to accessexternal websites to the extent allowed by an administrator of adistributed system. Additionally, concurrent clear text andcryptographic communication allows an administrator to implement ahybrid access arrangement in which any of clear text, virtual privatenetwork, or stealth-enabled, cryptographic communications can be used.

V. Updating of and Key Management in Secure Endpoints

Referring now to FIGS. 22-25, example systems and methods for managingkey distribution throughout a distributed system are described, andmethods for updating security and system software at remote terminalsare also described in the context of such a distributed system. Thedistributed system used can be, for example, a network providing amanaged service to one or more customers, such as would include theexample service and customer enclaves discussed in the above examplesillustrating other features of such a system.

FIGS. 22-24 illustrate three example networks that can be deployed tomanage encryption keys and provide software updates to secure clientsoftware. FIG. 22 illustrates an example distributed system 2200 inwhich a secure terminal can be updated during secure connection to acustomer virtual network, according to a first possible embodiment ofthe present disclosure. The distributed system 2200 includes a pair ofclient devices 2202, illustrated as being generalized computing deviceshaving associated secure boot devices 2204. The client devices 2202 canbe located at a common location, or can be at different locations. Theclient devices 2202 can also be associated with the same or differentcustomers, and the users of the client devices 2202 can be part of thesame or different communities of interest.

The secure boot devices 2204 can be, for example, USB-based memorydevices storing a plurality of software modules used to create a secureterminal at the client devices 2202. As mentioned briefly above, each ofthe secure boot devices 2204 can optionally include stored thereon asecure service key and address identifier of a service appliance, suchas service appliance 2206 useable to securely connect to a serviceenclave 2208. In such embodiments, the service key can, for example, bestored within a shell operating system's registry settings. Connectionto the service enclave 2208, and subsequently to a customer enclave 2210(discussed in further detail below) occurs via internet 2212.

An authorization server 2214 within the service enclave 2210 transmits acryptographic data set to the client device 2202, which can act tovalidate the user and provide, for example, one or morecommunity-of-interest keys, one or more filters, a location of a securegateway to which the customer can connect to access the customer enclave2210, and other information. In certain embodiments, the authorizationserver 2214 encrypts the above information for transmission to theclient device 2202 in a manner specific to that client device (e.g.,using a key known by the client device due to data stored on a secureboot device 2204).

The service enclave 2208 includes a number of additional features nottypically used directly by a user of a client device 2202, but ratherfor management of communities of interest and encryption keys associatedtherewith. In the embodiment shown, the service enclave 2208 includes arouter connecting service appliance 2206 to a variety of other serversand networking equipment, including an administration appliance 2216,and a router 2218 configured to connect to the authorization server 2214and other networking components used to maintain and monitor the serviceenclave 2208, including a DNS server 2220, a DHCP server 2222, a systemlogging server 2224, and a stealth administration server 2226. Theadministration appliance 2216 provides an interface to a remoteadministrator of the distributed system, for example an owner of themanaged service (i.e. the service enclave 2208 and customer enclave2210). The interface of the administration appliance 2216 allows anadministrative user to configure one or more communities of interest andfilters as discussed above, as well as configure virtual and physicalnetworks in the service and customer enclaves, and schedule andconfigure updates needed for any trusted software modules executing onclient devices 2202 and stored on secure boot devices 2204. Additionalfunctionality could be incorporated into the administration appliance2216 as well

The stealth administration server 2226 can, in some embodiments,maintain a listing of communities of interest, as well as a listing ofauthentication information and users associated with that authenticationinformation. The authentication information can be username and passwordinformation, a cryptographically-signed certificate, or can be PIN-basedor other code information associated with a particular secure bootdevice 2204. This information can be accessed by the authorizationserver 2214 in response to receipt of requests for access to a customerenclave received from client devices 2202. It is noted that each ofthese components could be a physical server system, or could beimplemented as a virtual system within the service enclave 2208.

In certain embodiments, the authorization server 2214 or some othercomponent within the service enclave 2208 can also transmit to theclient device 2202 an update script alongside the one or more filters,community-of-interest keys, and other information used for establishinga secure connection to a customer enclave 2210. In some embodiments, theauthorization server 2214 transmits the update script when an updatebecomes available to alter the one or more secure software modulesstored on a secure boot device 2204 (e.g., a version of the softwaremodules identified by the client device as present on the secure bootdevice is out of date). As discussed above, in some embodiments, theauthorization server 2214 transmits encrypted community-of-interest keysand other information to the client device 2202 such that the encryptionis performed in a manner specific to that client device.

When a customer wishes to initiate communication with a customer enclave2210, the customer will establish a secure tunnel with an identifiedsecure gateway 2228 using the one or more secure community-of-interestkeys received as part of the cryptographic data set from theauthorization server 2214. Once the secure connection is establishedwith the secure gateway 2228, the customer can access one or moreadditional resources within the customer enclave 2210, such as a webapplication 2230 or other application configured to allow securetransactions, or a hosted application or data storage, as discussedabove. The customer enclave 2210 optionally includes a router 2231 orother internal logical routing equipment for directing customercommunications to a particular application (e.g., web application 2230)or area associated with that customer, based on identifying usersassociated with that customer by the communities of interest to whichthey belong. The customer enclave 2210 also, in the embodiment shown,includes a DNS server 2232 and a DHCP server 2234, useable to route dataamong various virtual private networks and/or systems present within thecustomer enclave.

In the embodiment shown in FIG. 22, an update server 2236 is locatedwithin the customer enclave 2210, and is configured to, based on thecontents of an update script delivered to the client device 2202 by theauthorization server 2214. To update the software on the client device2202, the update server 2236 will transmit to the client device 2202 aset of one or more software modules useable to implement the secureconnection between the client device and one or both of the serviceenclave 2208 and the customer enclave. The set of one or more softwaremodules can be a complete replacement of the software modules present inrewritable memory of the secure boot device 2204, or can alternativelyinclude only a portion of the information included on the secure bootdevice.

As discussed further in connection with FIG. 25, below, the updateserver 2236 can deliver an update as defined on the update scriptconcurrently with a client device 2202 performing one or moretransactions in the customer enclave 2210, such that the update occursin the background (i.e., is opaque to the user of the client device2202). In certain embodiments, the size of an update can be substantial(e.g., greater than 1 gigabyte); as such, the update transfer processfor transmitting the update to the client device 2202 can beinterruptible, and can be restored during a next subsequent connectionbetween the client device 2202 and the customer enclave 2210. Forexample, a user can direct or schedule an update using update clientsoftware stored on a secure boot device, such as discussed above inconnection with FIG. 11B. Additionally, the update client software can,in certain embodiments, allow a user to view a state of the update(e.g., amount of update software that has been downloaded or is yet tobe downloaded).

In an alternative embodiment to that shown in FIG. 22, the update server2236 can be located within the service enclave 2208, rather than thecustomer enclave 2210. In such embodiments, when the client device 2202is securely connected to the customer enclave 2210, the client device2202 can concurrently maintain a connection to the service enclave viathe service key. In such embodiments, the client device 2202 can alsocontinue to communicate with the service enclave, for example to receivesoftware updates to the secure boot device 2204 from the update server2236.

In still a further alternative embodiment to that shown in FIG. 22, theupdate server 2236 can be located within a separate update enclave. Sucha separate update enclave can include one or more computing systems,such as those shown to be incorporated in the service enclave 2208, butcould be used to separate the authentication and updatingresponsibilities across multiple enclaves. This could be used, forexample, to reduce bandwidth stress on the service enclave and customerenclave, depending upon the number of authorization requests and updatesrequired.

FIG. 23 illustrates a second example distributed system 2300 in which asecure terminal can be updated during secure connection to a customervirtual network. In the distributed system 2300, web application 2230resides within a customer network 2302. The customer network 2302 can belocated behind a firewall 2304, separating it from the internet 2212. Inthis arrangement, although the customer of the managed service canretain control over the web application 2230, communication with thecustomer enclave 2210 from the customer network 2302, as well as fromcustomers remote from or otherwise detached from the customer network(e.g., client device 2202 a) can connect to the customer enclave 2210and service enclave 2208 for updates, data storage, and other featuresby way of a secure connection, for example using a secure boot device2204.

FIG. 24 illustrates a third example distributed system 2400 in which asecure terminal can be updated during secure connection to a customervirtual network. In this arrangement, the distributed system 2400 can belocated entirely within a customer's enterprise network, such that onlythat customer will access the service enclave 2208 and customer enclave2210, with each of the communities of interest defined within the system2400 representing separate departments or sub-organizations within thecustomer's infrastructure. In this embodiment, the arrangement of theservice enclave 2208 and customer enclave 2210 can generally correspondto that shown in FIG. 22; however, in this embodiment, an additionalinterface between the authorization server 2214 and a customeradministration infrastructure 2402 may also be included in the serviceenclave. The customer administration infrastructure 2402 can, in certainembodiments, include a customer's internal user validation system, suchas a local area network authentication system, for example ActiveDirectory-based authentication (e.g., Kerberos), or other type ofauthentication system that can receive external authentication messages.

As with FIG. 22, above, in both of FIGS. 23-24, the update server 2236can be located either within the customer enclave 2210 as shown, oroptionally within the service enclave 2208 instead. Example reasons forplacing the update server 2236 within the service enclave 2208 includeseparation of bandwidth required for responding to requests from acustomer enclave 2210 from bandwidth required for performing an update,and maintaining more universal control over updates of securityfeatures, for example in the case of a managed service provider wishingto control update distribution from a service enclave while allowingcustomers to manage/control their own customer enclave resources. Otherreasons for placing the update server 2236 in the customer enclave 2210or the service enclave 2208 may exist as well.

FIG. 25 is a flowchart of a method 2500 for updating a secure virtualterminal connected to a distributed system, according to a possibleembodiment of the present disclosure. The method 2500 can be performed,for example, in any of the distributed systems described above,particularly those discussed in connection with FIGS. 22-24 in which anupdate server resides within a service enclave or customer enclave. Themethod 2500 begins with a user of a client device transmitting a requestfor validation at a service enclave, such as at an authorization server(step 2502). This can include, for example, transmitting a username andpassword, cryptographically-signed certificate, or PIN number forauthorization of a particular user, or an identity of a particularsecure boot device, or some combination thereof. Optionally, thevalidation step can also include transmitting an identifier of a versionof a set of software modules stored at a client device. The softwaremodules can include, for example, one or more secure software modulesstored on a secure boot device, as discussed above in connection withFIGS. 10-16. Alternatively, the software modules can include one or moredriver files used to perform cryptographic communications, such as thedriver files discussed above in connection with FIGS. 1-9. Otherpossibilities exist as well.

After the user is validated at the service enclave, the user can beauthorized to connect to a customer enclave (step 2504). Thisauthorization can take a number of forms. In some embodiments, theauthorization includes transmitting to the client device associated withthe authorized user or secure boot device a cryptographic data setincluding information required to create a secure connection to thecustomer enclave, such as one or more community-of-interest keys andassociated filters, an address of a particular gateway device throughwhich to access the customer enclave, and other cryptographicinformation. Authorization of the client can include, for example,encrypting and transmitting to the client device the one or morecommunity-of-interest keys and associated filters, as well as otherinformation used to connect to a particular gateway or customer enclave.Additionally, this authorization step can include transmitting to theclient device one or more update scripts defining an update process tooccur on the client device.

A secure connection can be established to the customer enclave (step2506) once the client device receives the necessary cryptographic data.This can include, for example, establishing a tunnel between the clientdevice and a gateway device identified by the authorization server inthe service enclave, using one or more community-of-interest keysprovided to the client device, as discussed above.

Once connected to the customer enclave, a client device can be used toperform transactions in the customer enclave (step 2508). Various typesof transactions could be performed; example types of transactions arediscussed above in connection with FIGS. 10-16. Concurrently with theuser connected to the customer enclave, an update server can deliver toa client device one or more updated software modules, based on theupdate script received at the client device (step 2510). In someembodiments, the software modules can be, for example trusted softwaremodules 1101-1104 of FIG. 11A, as included within a secure boot image.In other embodiments, the software modules can include one or morefilters, community-of-interest keys, service keys or service enclavelocations, driver software, or other information to be installed orstored at a client device for use in establishing a secure connectionbetween the client device and a remote system, or for ensuring that theclient device is not infected by malware of some type when suchcommunication is established.

Although illustrated as occurring concurrently with transactionsperformed using the customer enclave, it is recognized that transmissionof an update to a secure client device can occur either before or aftercommencement of transactions at the customer enclave. For example, insome embodiments, at least a portion of an update can occur prior tolaunch of an application for performing such transactions. Otherarrangements and orders of operations within the method 2500 arepossible as well.

It is recognized that in performing this update step, the update servercan, in various embodiments, transmit an encrypted, compressed versionof one or more software modules (or portions thereof) to a client devicefor use as a replacement to modules in a secure boot image. In someembodiments, one or more modules are transferred to a client deviceassociated with a secure boot device, and then transmitted to the secureboot device once completely received, thereby overwriting existingtrusted software modules. In other embodiments, the modules to beupdated are transferred and stored in a temporary storage area of thesecure boot device. In such embodiments, when completely transferred,the modules are then copied into a location reserved for the trustedsoftware modules on the secure boot device, thereby overwriting theprior versions of the trusted software modules. In this embodiment,different client devices could be used for different connection sessionswith the update server without requiring the updated software modules tobe entirely resent if not completed during a previous session.

Referring now to FIGS. 21-25 generally, it can be seen that, through useof a two-level key management scheme, communities-of-interest and keysrelated thereto can be managed and updated in a centralized manner,allowing changes in a service enclave to be propagated to users andcustomer enclaves as customers access the managed service. Additionally,through use of a dedicated update server, optionally included within aservice enclave, a customer enclave, or an entirely separate updateenclave, update processes can be offloaded from a service or applicationhosting system, allowing updates to be performed concurrently withtransaction processing (e.g., at the customer enclave). This reduces thebandwidth demands from the customer enclave and service enclave, each ofwhich may be concurrently hosting multiple users associated with anentity or community of interest, or multiple entities or communities ofinterest.

Referring now to the overall disclosure, the methods and systems of thepresent disclosure provide for both a trusted client device using asecure boot device, as well as secure and flexible access tonetwork-based services via a typically unsecured network. The methodsand systems described herein allow for concurrent secured and unsecuredcommunications, as well as concurrent updating and transactional access.

The foregoing description of the exemplary embodiments of the inventionhas been presented for the purposes of illustration and description.They are not intended to be exhaustive or to limit the invention to theprecise forms disclosed. Many modifications and variations are possiblein light of the above teaching. It is intended that the scope of theinvention be limited not with this detailed description, but rather bythe claims appended hereto.

1. A method of updating a virtual terminal associated with a securenetwork, the method comprising: validating at a service enclave anidentity of a user of a virtual terminal, the service enclave includingan authorization server, and the virtual terminal generated from atrusted set of processing modules executing from a secure boot device ata client computing device; authorizing the user of the virtual terminalto access a customer enclave and an update enclave based on securitycredentials received from the virtual terminal; and while the user ofthe virtual terminal establishes a secure connection between the clientcomputing device and the customer enclave, transmitting updates from theupdate enclave to the client computing device, thereby updating thetrusted set of processing modules.
 2. The method of claim 1, wherein thecustomer enclave and the update enclave have separately establishedsecure connections to the client computing device.
 3. The method ofclaim 1, wherein the customer enclave is located at a customer site, andthe update enclave is located at a managed service provider.
 4. Themethod of claim 3, wherein the service enclave is located at the managedservice provider.
 5. The method of claim 1, wherein the service enclaveprovides authentication and authorization of the client computing devicefor connection to both the customer enclave and the update enclave. 6.The method of claim 1, wherein the security credentials received fromthe virtual terminal includes a security identifier associated with asecure boot device directly communicatively connected to a computingsystem hosting the virtual terminal.
 7. The method of claim 1, whereinthe secure connection transmits split and encrypted data packets betweenthe client computing device and the customer enclave representingtransactions sent from the virtual terminal to the customer enclave. 8.The method of claim 1, wherein validating at a service enclave anidentity of a user of a virtual terminal comprises receiving from theservice enclave a location of the customer enclave, a location of theupdate enclave, and a plurality of keys used to establish secureconnections to the customer enclave and the update enclave.
 9. Themethod of claim 8, wherein validating at the service enclave an identityof a user of a virtual terminal further includes receiving an updatescript
 10. The method of claim 1, wherein transmitting updates from theupdate enclave to the client computing device comprises transmittingupdates to an ephemeral port assigned at the client computing device.11. The method of claim 1, further comprising validating at the serviceenclave an integrity status of a trusted set of software modulesinstalled on the secure boot device.
 12. The method of claim 1, furthercomprising, prior to validating at the service enclave an identity of auser of the virtual terminal, establishing a secure connection betweenthe virtual terminal on the client computing device and the serviceenclave based at least in part on the trusted set of processing modulesexecuting from the secure boot device.
 13. The method of claim 1,further comprising, upon termination of the secure connection betweenthe virtual terminal on the client computing device and the serviceenclave while updates are transmitted from the update enclave,terminating transmission of updates from the update enclave.
 14. Themethod of claim 13, further comprising: resuming a secure connectionbetween the virtual terminal on the client computer and the serviceenclave; and upon resuming the secure connection, resuming transmissionof updates from the update enclave to the client computing device.
 15. Asystem for updating one or more trusted software modules in a secureboot device directly connected to a client computing system, the systemcomprising: a service enclave configured to receive and respond toauthentication and authorization requests from a client computingsystem, and to define one or more communities of interest associatedwith a secure boot device; a customer enclave configured to, uponauthorization of the secure boot device at the service enclave,establish a secure connection to the client computing system and receivetransaction information from the client computing system; and an updateenclave configured to, while the secure connection is establishedbetween the customer enclave and the client computing device, establisha second secure connection between the update enclave and the clientcomputing device and update one or more of the trusted software modules.16. The system of claim 15, wherein the customer enclave is at aseparate location from the update enclave.
 17. The system of claim 15,wherein the service enclave includes an authorization server configuredto receive and respond to authorization requests from the clientcomputing device.
 18. The system of claim 15, wherein the serviceenclave includes an administrative server configured to managecommunities of interest, each community of interest defining one or moreusers and one or more resources the one or more users are authorized toaccess.
 19. The system of claim 15, wherein the update enclave iscollocated with the service enclave.
 20. The system of claim 15, whereinthe secure boot device includes a read-only memory portion and aread-write memory portion, the read-only memory portion including a bootmodule.
 21. The system of claim 15, wherein the update enclave isconfigured to update one or more trusted software modules stored in theread-write memory portion of the secure boot device.
 22. Acomputer-storage medium storing computing instructions which, whenexecuted, implement a computerized method of updating a virtual terminalassociated with a secure network, the method comprising: validating at aservice enclave an identity of a user of a virtual terminal, the serviceenclave including an authorization server, and the virtual terminalgenerated from a trusted set of processing modules executing from asecure boot device at a client computing device; authorizing the user ofthe virtual terminal to access a customer enclave based on securitycredentials received from the virtual terminal; and while the user ofthe virtual terminal establishes a secure connection between the clientcomputing device and the customer enclave, transmitting updates from anupdate enclave to the client computing device, thereby updating thetrusted set of processing modules.